This article describes the experience of an end-user during authentication after an authenticator is disabled from an Enrollment policy.

 

• Multi-Factor Authentication (MFA)
• Enrollment Policy
• Authenticators

The end-user will not be able to use that authenticator for Multi-Factor Authentication.

• Users who are enrolled in an authenticator will be forced to enroll using any of the other enrollment factors available (for example, Okta Verify, SMS Authentication, etc.) to access the application.
• If the disabled factor were the only other available factor, then the user would not be allowed to authenticate, as they would not be able to satisfy the authentication policy, which requires the second factor (see System Log Message "Access has been denied... for more information).

• Even though the disabled factor can not be used for Multi-Factor Authentication due to the current Enrollment policy, the end-user's enrollment in that factor is unaffected.