This article explains why a user is always prompted for Password and Email authenticators during every new sign-in attempt from a device, even when the application's sign-on policy is configured for a different experience. The behavior occurs if authentication is allowed within the organization.

• Okta Identity Engine (OIE)
• Multi-factor Authentication (MFA)

The User Enumeration Prevention feature is enabled under Security > General. When this feature is enabled, the organization is protected against attackers who attempt to identify user accounts and authenticator enrollments. As a result, every new device sign-in prompts for the password and email if email authentication is allowed in the organization. If the user does not exist or cannot sign in, an authenticator verification error is displayed.

The User Enumeration Prevention feature creates a security-first sign-in experience that protects against user enumeration attacks. When enabled, this feature alters the sign-in flow by presenting a consistent login form, regardless of the user's existence or enrollment status, to prevent attackers from inferring valid usernames or authenticator enrollments. To configure this feature, go to Security > General in the Admin Console.

NOTE: User Enumeration Prevention does not take effect if either of the following conditions is allowed:

• Self-service registration
• Just-in-Time (JIT) provisioning flows with email authentication