Okta Authenticator Operation Is Not Allowed Error Occurs During Device Enrollment
Last Updated:
Overview
Okta generates an error during device enrollment in a Multi-Factor Authentication (MFA) factor when the authenticator remains inactive for the tenant. Resolve this issue by enabling the desired factor and verifying the enrollment policy settings. Specifically, a user encounters the following error when attempting to enroll a device in an application, such as Okta Verify, but the factor remains inactive:
Authenticator operation is not allowed
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Multi-Factor Authentication (MFA)
Cause
The authenticator remains inactive for the tenant. For example, if the Okta Verify factor remains inactive under the Security tab and Authenticators for OIE tenants, a user encounters this error when attempting to enroll a device in the Okta Verify application.
Solution
What steps enable the authenticator in Okta Identity Engine?
Navigate to the Security menu, select Authenticators, and choose the Setup tab to enable the desired factor, referencing the following image:
Enable the authenticator in Okta Classic Engine.
Navigate to the Security menu, select Multifactor, and choose the Factor Types tab to enable the desired factor, referencing the following image:
Review the enrollment policies to ensure they are configured correctly.
NOTE: Ensure that the end user belongs to a group in the Enrollment (OIE) or Factor Enrollment (Classic) Policy that requires or optionally allows the factor.
Review the Default Policy settings for OIE in the following image:
Review the Default Policy settings for Okta Classic Engine in the following image:
Verify that the enrollment policy sets the desired factors as Optional or Required and ensure the authenticator status displays as Active.
