Selecting the wrong user certificate when signing in using a Personal Identity Verification (PIV) card or a Common Access Card (CAC) can remain cached in the browser session. This article discusses the steps that can be taken in this situation.

• Common Access Card (CAC) and Personal Identity Verification (PIV) card
• Smart Card/PIV certificate
• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)
• Smart Card Logon

When signing in with a CAC/PIV card and selecting the wrong user Smart Card/PIV certificate, the browser will cache the certificate selected for the first time. When trying to re-authenticate again with a CAC/PIV card, the authentication will fail.

The same behavior occurs when signing in; if no certificate is selected and the Cancel button is clicked, the browser caches a null value, resulting in re-authentication failure.

This behavior is caused by the browser settings, which cannot be controlled through Okta. When the Smart Card/PIV certificate is selected, the browser stores the initial certificate in its cache, and Okta is unable to clear it or force a re-prompt. 

To be prompted again for selecting the Smart Card/PIV certificate when signing in via CAC/PIV card, all browser windows and tabs must be closed, even in Incognito mode, then reopen the browser to sign in.