Today, we’d like to share a significant policy change regarding the Okta Admin Console. Previously, Okta has recommended Multi-Factor Authentication (MFA) to access the console, as it’s well known that MFA can be an effective tool to protect against identity attacks. However, in the past, customers were able to downgrade the Admin App policy to allow for single-factor access. Moving forward, given the risk this poses to our customers, Okta will no longer support single-factor access to the admin console. Okta feels strongly that accessing the Okta admin console must be protected for all customers, and so in early August of 2024, Okta will prevent new single-factor access rules on the Admin console policy.

This change will impact the admin user experience only when accessing the admin console. There will be no change to end user authentication experiences.

To prepare for this change, Okta is recommending all customers review their admin console access policies and ensure MFA is required on all rules. This video provides guidance and a walk though. Rules that allow single-factor access in your admin console policy are flagged in your organization’s Health Insight warnings, as well as on the admin console policy page itself. Below are example screenshots for reference.

In the next phase, starting mid Aug 2024, Okta will automatically upgrade admin access policies to require MFA This change will roll out in phases and admins will be notified.