How do I disable specific MFA for ONE user only? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xab6qak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Charles SoesantoCharles Soesanto 

How do I disable specific MFA for ONE user only?

I have a Global Policy set to only use MFA with Okta Verify or Google Authenticator - no SMS-based 2FA - for every user.

One particular user is having issue with his phone and cannot download Okta Verify or Google Authenticator app, effectively locking him out from Okta.

So I would like to temporarily set SMS-based 2FA just for this one user, while maintaining non-SMS-based 2FA for every other users How can I do this?

Basically this is what I am trying to achieve:

1). Global Policy set NOT to use SMS-based 2FA for all user (this is done)

2). For one user (say Joe) only, I would like to setup SMS-based 2FA. Everyone else still have to use non-SMS-based 2FA

3). Once Joe's phone is fixed, I want to enforce no SMS-based 2FA for him.
Kevin TurnerKevin Turner (Okta, Inc.)
As per your order you would need to create a policy and rule making sure they are the first policies/rules in the hierarchy (as they are triggered from top down).

So create a global registration policy that allows Joe to use and register for SMS as part of his login/registration policy.

Then on the application SSO tab create a rule that allows (only Joe, or a group that Joe's a member of say 'SMS') again placing this first in the list.

Once Joe has his new phone remove Joe's name from both policies/rules or group membership.

Thanks