Okta Error "Authenticator operation is not allowed"
Jan 7, 2026
Okta Classic Engine
Multi-Factor Authentication
Okta Identity Engine
Overview
This article is meant to analyze the situation when trying to enroll a device into an MFA factor and encountering the error:
Authenticator operation is not allowed
Applies To
- Multi-Factor Authentication (MFA)
Cause
Authenticator operation is not allowed error is due to the authenticator not being enabled for the tenant.
For example, if the Okta Verify factor is not enabled under the Security tab > Authenticators for Okta Identity Engine tenants and a user tries to enroll their device in the Okta Verify application, they will encounter this error.
Solution
As an admin, make sure that the desired factor is already enabled:
Okta Identity Provider
Under the Security > Authenticators menu > Setup tab.
Okta Classic Engine
Under the Security > Multifactor menu > Factor Types tab.
NOTE: Ensure that the end user is part of a group in Enrollment (OIE) or Factor Enrollment (Classic) Policy that has been set to "Required" or "Optional."
For example:
The Default Policy is set to be either required or optional (it can be set to either one factor or multiple factors, depending on the company's security requirements).
Okta Identity Engine
Okta Classic Engine
To summarise, the most important and actionable item is for admins to verify if the desired factors are set as "Optional" or "Required" within the enrollment policy and to ensure the authenticator itself is set to "Active."
