Which MFA Factor is used for a user if multiple are configured? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Duncan DruryDuncan Drury 

Which MFA Factor is used for a user if multiple are configured?

If a user has multiple MFA factors set up, how does Okta decide?

I recently did some testing, and it seemed that the most recently set up factor was used - e.g. if I reset my security question, then I am prompted to provide a security answer each time I login rather than Okta Verify which I set up first.

However, when I look at the MFA Usage report, I see that for some users the most recently used MFA Factor is not necessarily the most recently enrolled.
Ajay SuriAjay Suri
I understand that if multiple factors are enabled and enrolled for, user will get option to choose.
In my configuration, Okta verify was enabled as 'Required' while one another factor was 'Optional'.
The users got the verify option by default but could chose the another factor through a small drop down arrow on the MFA page.
Duncan DruryDuncan Drury
Yes - users can choose, but I don't expect them to select the most secure and the majority are just going to use the first one presented unless for some reason they cannot. I only want users using Security Question when they aren't able to use a more secure option - this is defeated when they are presented with the Security Question every time they login.

My question is about which MFA factor is presented to a user - how is this determined? Is there any way that an admin can set a preference?
Chidananda BoligaddeChidananda Boligadde
Administrator has the ability to configure the policy to not allow the weak factors such as Security Questions. See more here: https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm?cshid=Security_FactorPolicies#MultifactorPolicies
Dylann FezeuDylann Fezeu (Customer First Programs)

Thanks for posting your inquiry in Okta Community Portal.

If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

Dylann Fezeu
Okta Help Center Team
Ajay SuriAjay Suri
If you consider one factor weaker than the other, you should not allow that option at all.
If security is the concern, attackers will always know how to pick up the weaker option.
If a weaker option is used as a fall-back to a stronger option, attacker would still be able to fall-back.
I believe if multiple options are to be provided, we should be sure that they are of same strength for our security requirements.