<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
MFA Prompt when Performing the First Authentication in Okta
Sep 1, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview

This article describes a scenario in which a newly created user performs their first authentication into the Okta Dashboard. The Global Session Policy and Authentication Policy do not require Multi-factor Authentication (MFA), and the user must authenticate only with a Password.
The Enrollment Policy has factors set to REQUIRED that the user must enroll in.

Required factors 
When the user authenticates with a password in the Okta Dashboard, they will be prompted for MFA even though the Global Session Policy and the Authentication Policy do not require a second factor.

Applies To
  • Okta Identity Engine (OIE)
  • Multi-factor Authentication (MFA)
  • Enrollment Policies
Cause

This behavior is by design, as when enrolling an authenticator, a second factor needs to be provided for user verification.

Solution

This scenario applies mostly to admins who want to create an Enrollment Policy for service accounts. 

If this behavior is not desired, set up an Enrollment Policy where factors are set to OPTIONAL. 

Recommended content

Still looking for help?
Loading
MFA Prompt when Performing the First Authentication in Okta