<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
End User Experience when MFA is Required in Policies
Nov 6, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview

This article reviews the impact of MFA requirements on the user experience while evaluating the Global Session Policy (GSP) and Authentication Policy (AP or ASOP).

Applies To
  • Multi-Factor Authentication (MFA)
  • Okta Identity Engine (OIE)
Solution
  • The Authentication Policy always applies when accessing an app.

  • The Global Session Policy will only apply if the user does not have an Okta session.

  • If the settings for Global Session Policy for MFA is = Not Required or Required no matter what, Okta still requires users to enroll their Multifactor for New Users if the enrollment policy has any factors set as Required.

  • If accessing an application (for example, Okta Dashboard), the user will be evaluated by the Authentication Policy. If the Global Session Policy for MFA is = "Not Required", the Application Authentication Policy decides if the user will be prompted for another factor.

 

Test Scenarios


Application: Okta Dashboard
Authentication Policy = Password + Another Factor 

Authentication Policy = Password + Another Factor 

Global Session Policy: 

  • Establish the user session with: "Any factor used to meet the Authentication Policy requirements".
     

For New Users

If the Global Session Policy for MFA is = Not Required / Required.
They are still going to be prompted to enroll in multifactor, such as Okta Verify, if the factor is required, and it does not matter what policy is evaluating the new users.

Even if the App Authentication Policy requires Password Only, there would still be a need to enroll and verify.
factors 



Test 1:
Global Session Policy: Multifactor authentication (MFA) is = Required.

1. User logs in with username/password.
2. Prompted to set up MFA. Choose Okta Verify.
3. Scans Okta Verify QR Code.
4. Enrolled in Okta Verify.
5. Prompted to set up optional MFA: Duo, Google Auth, etc.
6. Hit Continue.
7. User successfully logs in.


Test 2:
Global Session Policy: Multifactor authentication (MFA) is = Not Required.

1. User logs in with username/password.
2. Prompted to set up MFA. Choose Okta Verify.
3. Scans Okta Verify QR Code.
4. Enrolled in Okta Verify.
5. Prompted to set up optional MFA: Duo, Google Auth, etc.
6. Hit Continue.
7. User successfully log in.

 


For Existing users

If the Global Session Policy for MFA is = Required.

  • Since there is an App Authentication Policy (Okta Dashboard) that has: Password + Another Factor.
  • Then the user will be prompted for Password + Another Factor (for example, Okta Verify).

After a new user sets the required Factors:

Scenario 1:
Global Session Policy: Multifactor authentication (MFA) is = Not Required.

1. User logs in with username/password.
2. Prompted to Authenticate with MFA > select Okta Verify > select Code or Push (This triggers the App Authentication Policy to = Password + Another factor because MFA is required to have + any factor, and a Possession Factor is required).
3. Selected Okta Verify Push.
4. Okta Verify Push received and confirmed authentication.
5. The user successfully logs in.


Scenario 2: 
Global Session Policy: Multifactor authentication (MFA) is = Required.

1. User logs in with username/password.
2. Prompted to Authenticate with MFA > select Okta Verify > select Code or Push (This triggers the App Authentication Policy to = Password + Another factor because MFA is set to "Required").
3. Selected Okta Verify Push.
4. Okta Verify Push received and confirmed authentication.
5. The user successfully logs in.

NOTE:
For an Authentication Policy that only requires "Password" Only. Here are the test scenarios:
Authentication Policy that only requires "Password" 


Test Scenario 1: New User
Global Session Policy: Multifactor authentication (MFA) is = Required.

1. User logs in with username/password.
2. Prompted to set MFA. Choose Okta Verify.
3. Scans QR Code.
4. Enrolled in Okta Verify.
5. Prompted to set up optional MFA: Duo, Google Auth, etc.
6. Hit Continue.
7. User successfully logs in.


Test Scenario 2: Existing User
After a new user sets the required Factors:

1. User logs in with username.
2. Prompted to Authenticate with Okta Verify. Choose between Code or Push.
3. Selected Okta Verify Push.
4. Okta Verify Push received and confirmed authentication.
5. The user successfully logs in.


Test Scenario 3 and 4: Existing User and New User
Global Session Policy: Multifactor authentication (MFA) is = Not Required.

1. The user logs in with a password.
2. The user successfully logs in.



NOTE:

  • When logging in to Okta via the LDAP interface (for example, Jamf uses Okta LDAP), it is possible to create a Global Session Policy for that service account, thereby eliminating the need for MFA.
  • MFA is not controlled at the account level. It is at the policy level, so MFA is only required when accessing the admin app. The LDAP interface should not be the admin app.
  • Disabling MFA for the Admin Console is not a good practice.


 

Related References

Recommended content

Still looking for help?
Loading
End User Experience when MFA is Required in Policies