This Knowledge Base article provides insights into the behavior of Multi-Factor Authentication (MFA) after upgrading to Okta Identity Engine (OIE). It focuses on understanding why users might still be prompted to set up Okta Verify despite attempts to disable it.

• Okta Administrators who have recently upgraded their orgs to OIE and wish to use Single Sign-On (SSO) without enabling Okta Verify
• Multi-Factor Authentication (MFA)

After upgrading to OIE, even when the org's policies are set to disable Okta Verify or when using an Identity Provider (IdP) for authentication, users may still be prompted to set up Okta Verify. This is because, in OIE, factor enrollment necessitates the use of MFA. In this context, the IdP is only considered as a single factor of authentication for enrollment.

1. Recognize that the behavior is intentional in OIE to ensure a robust security posture, where factor enrollment necessitates MFA.
2. Be aware that Okta's latest release includes a feature that allows Okta to remember the last-used MFA authenticator. Upon subsequent sign-ins, if the last-used authenticator is WebAuthn, Okta Verify Push, or Okta Verify FastPass, that authenticator will be presented as an option in the Sign-In Widget. Although the last-used authenticator is selected by default, users can still choose a different authenticator by clicking on “Verify with something else."
3. If the current OIE settings do not align with the org's preferred authentication procedures, consider discussing with Okta support about postponing the OIE upgrade until further analysis can be conducted to determine the best course of action.
4. Continue to monitor Okta's release notes for updates and new features related to MFA and OIE.