MFA Setup - setting up the factor before requiring MFA Skip to main content
https://support.okta.com/help/answers?id=906f0000000qthvia0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
John HowieJohn Howie 

MFA Setup - setting up the factor before requiring MFA

Hi All,
I'd like to have users setup a second factor (in this case a security question) before requiring they use MFA to authenticate to Okta.  Right now without MFA enabled they cannot setup a security question (doesn't show in their profile).  If I turn on MFA all at once everyone would be required to setup a question immediately and I like to give people more runway than that.  Is there a way to get this to work?

Thanks!
 
Eric KarlinskyEric Karlinsky (Okta, Inc.)
Hey John,

Our MFA Enrollment policy type is currently in EA, which means Support can turn it on for you. This policy give you much more granuarity around when users are asked to enroll a second factor and which methods the end user is permitted to set up. I think this could address this issue.

Thanks,
Eric
John HowieJohn Howie
Would it be possible to enroll their factors without requiring they actually use them at the time?
api-workday api-workdayapi-workday api-workday
Hi John,

One way to do this that doesn't required the new enrollment policy.
  • Enable MFA Factors but don't required them for Okta Sign On
  • Publish a Bookmark app and set an application Sign On Polciy for that application to require MFA
  • Assign that application to your users and instruct them to visit the app to force the enrollment sequence
The destination could be a landing page that congratulates your users on their enrollment and usage of MFA or well anything for that matter.

-Matt