Can users opt-in for MFA if the tenant Multifactor Policy has "Optional" factors?
We have both of the Eligible Factors in our tenant's MFA policy set to "Optional" - I was able to complete factor setup with a test user, but am unable to find anywhere that the user can enable the factor. Is this "Optional" parameter just to allow users to set up the factor? Or is there some way for them to opt-in to have multifactor required if they want to secure their account and/or application access?
If you complete factor setup for a user, then that factor is enabled for that user from then on. To use the factor, however, a Sign-On Policy that requires an MFA challenge must be applied to the user. You can create one of these policies from Okta Admin -> Security -> Authentication -> Sign On tab.
Once a valid sign-on policy is in place, your user will be able to use whichever MFA factor they have set up to satisfy the challenge. If they set up multiple optional factors, then they will get to choose which factor they would like to use for the challenge. A user can see what factors they have enabled by going to their Okta Homepage and then clicking on their name, and then Settings.
Thank you for the answer - it is very much appreciated. We're actually looking for a way that users could voluntarily "self-enroll" for MFA, as a precursor to us enforcing it via the Sign On policies. Is that currently possible?