This article will provide a general-purpose checklist for Okta administrators who are attempting to troubleshoot why users are unexpectedly prompted for Multi-Factor Authentication (MFA).

• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)

Checklist

• Global Sign-On Policy:
  • Does it require MFA?
  • Is reauthentication frequency set to “every sign-in” or “signing-in on a new device”?
• Authentication Policy:
  • Do any rules in the policy require Password / IdP + Another Factor or Any 2 Factors?
  • Is the reauthentication frequency set to “every sign-in” or “n time” since another resource was accessed in the current Global session?
• Authenticator Enrollment Policy:
  • For all Rules, is any MFA factor set to Required?
• Password Policy:
  • Do any rules require Okta Verify/Google Authenticator as a recovery factor for self-service password reset or account unlock?
  • Is the Identity Threat Protection Policy (ITP) (Post Auth Session) enforced?