Hello. I set up my default MFA policy to have 2 factors as REQUIRED for users when signing into Okta. For example, require Okta Verify and SMS. However when the user logs, he is only prompted for one factor. I thought he'd be prompted for both factors required in the policy?
Also if I add another MF policy, it does not seem to take precedence over the default one (which cannot be deleted). Has anybody else experienced some weirdness with this?
First, make sure the end user is in the group to which the policy is scoped. This may be obvious, but it's often overlooked as a reason that policies fail to take effect.
Second, the MFA Enrollment policy applies to enrollment, not enforcement. So the end user will be required to enroll per the policy, but that doesn't mean they're required to provide a second factor to authenticate.
If you provide a screenshot of your policy configuration, I can help you troubleshoot.
Thanks, Eric Eric Karlinsky, Sr. Technical Marketing Mgr., Okta
Hey Isaac - Sorry for the delayed response. I misunderstood your original post. You're correct, right now Okta only supports a single prompt for MFA, so you can enable multiple sequential factors into an authentication chain. The MFA Enrollment Policy only forces end uses to enroll for the authentication methods you want them to use.