Multifactor policy Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzo2iac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Patrick CesardPatrick Cesard 

Multifactor policy

Hello.
I set up my default MFA policy to have 2 factors as REQUIRED for users when signing into Okta. For example, require Okta Verify and SMS. However when the user logs, he is only prompted for one factor. I thought he'd be prompted for both factors required in the policy?

Also if I add another MF policy, it does not seem to take precedence over the default one (which cannot be deleted). Has anybody else experienced some weirdness with this?
Eric KarlinskyEric Karlinsky (Okta, Inc.)
Hey Patrick,

A few things to check: 

First, make sure the end user is in the group to which the policy is scoped. This may be obvious, but it's often overlooked as a reason that policies fail to take effect. 

Second, the MFA Enrollment policy applies to enrollment, not enforcement. So the end user will be required to enroll per the policy, but that doesn't mean they're required to provide a second factor to authenticate.

If you provide a screenshot of your policy configuration, I can help you troubleshoot.

Thanks,
Eric
Eric Karlinsky, Sr. Technical Marketing Mgr., Okta
Patrick CesardPatrick Cesard
Hi Karl. My user is in the group. Also sounds like one cannot setup more than one factor at enforcement, so max. is 2 factor at enforcement (password + one factor like Okta Verify), is that right?
Eric KarlinskyEric Karlinsky (Okta, Inc.)
Hey Isaac - Sorry for the delayed response. I misunderstood your original post. You're correct, right now Okta only supports a single prompt for MFA, so you can enable multiple sequential factors into an authentication chain. The MFA Enrollment Policy only forces end uses to enroll for the authentication methods you want them to use.