Authenticator enrollment policy
Authenticator enrollment policies let you manage how and when your end users enroll authenticators. You can create policies and rules for specific authenticators, user groups, and situations.
If the user is missing any required authenticators when they access Okta or an Okta-protected app, they're prompted to enroll them, followed by optional authenticators.
You can create authentication enrollment policies customized for different user groups. The policy allows you to select from the eligible authenticators and make them required, optional, or disabled for enrollment.
You add rules to a policy to determine situations this policy applies to. Configure rules to match different scenarios and define how the rules should behave. For example, you can allow authenticator enrollment for users accessing certain apps, or you can deny enrollment if users access Okta from certain locations.
Okta may prompt users to enroll more authenticators if other policies such as the global session policy, authentication policy, or password policy require them.