When using Okta Device Access (ODA), users may encounter a generic error message: 

Authentication Failed

This article explains why ODA behaves this way and clarifies that it is an intended security feature.

• Okta Device Access (ODA)
• Okta Identity Engine (OIE)

When an authentication attempt fails, particularly when an incorrect MFA factor is provided, users receive a general Authentication Failed message instead of a specific Invalid Password or Invalid Factor message.

Okta Device Access (ODA) is designed to evaluate the user's password and configured Multi-Factor Authentication (MFA) factor simultaneously during the authentication process. If either the password or the MFA factor is incorrect, ODA will return a single, overarching Authentication Failed message.

This behavior is an intentional security measure. From a security standpoint, providing highly specific error messages (for example, Invalid Password or Invalid MFA Code) could inadvertently assist malicious actors in "brute-forcing" or otherwise guessing credentials. By returning a generic Authentication Failed message, ODA prevents an attacker from accurately pinpointing which specific factor (password or MFA) was incorrect. This makes it more difficult for unauthorized individuals to determine if they have correctly guessed one part of the authentication process while failing on another.

This is the expected and intended behavior of Okta Device Access (ODA). No action is required to "fix" this, as it is a built-in security feature.