This article explains why a user who has successfully enrolled in a Multi-Factor Authentication (MFA) factor can no longer use it for authentication after being moved out of the Factor Enrollment Policy that enabled it. Although the factor enrollment remains on the user's profile and is visible via the API, it will not be available as an authentication option.
- Factor Enrollment Policies
- Multi-Factor Authentication (MFA)/Adaptive MFA
- Factor disabled
- Okta Identity Engine (OIE)
Factor Enrollment Policies have a dual function: they govern both the initial enrollment in a factor and the ongoing availability of that factor for authentication. An administrator may move a user out of a policy that allows enrollment as a security measure after the user has completed their setup. However, this action also removes the user's entitlement to use the factors defined in that policy. The system interprets the user's absence from the policy as a rule that the associated factors are no longer permitted for that user, effectively disabling them for authentication.
To resolve this issue and design policies correctly, follow these steps:
- To restore a user's ability to use an enrolled factor, ensure the user is a member of a group that is assigned to a Factor Enrollment Policy where the desired factor is set to Optional or Required.
- As a best practice, design Factor Enrollment Policies with the understanding that they permanently govern which factors are available to users. Policies should be structured around long-term user access needs rather than as temporary gates for initial enrollment.
- Build Global Session and Authentication policies to work in tandem with the established Factor Enrollment Policies.
