Which MFA Factor is used for a user if multiple are configured?
If a user has multiple MFA factors set up, how does Okta decide?
I recently did some testing, and it seemed that the most recently set up factor was used - e.g. if I reset my security question, then I am prompted to provide a security answer each time I login rather than Okta Verify which I set up first.
However, when I look at the MFA Usage report, I see that for some users the most recently used MFA Factor is not necessarily the most recently enrolled.
I understand that if multiple factors are enabled and enrolled for, user will get option to choose. In my configuration, Okta verify was enabled as 'Required' while one another factor was 'Optional'. The users got the verify option by default but could chose the another factor through a small drop down arrow on the MFA page.
Yes - users can choose, but I don't expect them to select the most secure and the majority are just going to use the first one presented unless for some reason they cannot. I only want users using Security Question when they aren't able to use a more secure option - this is defeated when they are presented with the Security Question every time they login.
My question is about which MFA factor is presented to a user - how is this determined? Is there any way that an admin can set a preference?
Administrator has the ability to configure the policy to not allow the weak factors such as Security Questions. See more here: https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm?cshid=Security_FactorPolicies#MultifactorPolicies
If you consider one factor weaker than the other, you should not allow that option at all. If security is the concern, attackers will always know how to pick up the weaker option. If a weaker option is used as a fall-back to a stronger option, attacker would still be able to fall-back. I believe if multiple options are to be provided, we should be sure that they are of same strength for our security requirements.