<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UcpSAFOkta Classic EngineAdministrationAnswered2024-06-28T09:02:09.000Z2017-12-04T21:03:04.000Z2020-03-07T06:14:39.000Z

JessicaW.72146 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Can users opt-in for MFA if the tenant Multifactor Policy has "Optional" factors?
We have both of the Eligible Factors in our tenant's MFA policy set to "Optional" - I was able to complete factor setup with a test user, but am unable to find anywhere that the user can enable the factor.  Is this "Optional" parameter just to allow users to set up the factor? Or is there some way for them to opt-in to have multifactor required if they want to secure their account and/or application access?
  • 4 answers
  • 1.46K views

  • josh.skeen1.4283705083512795E12 (Okta, Inc.)

    Hi Jessica,

     

    If you complete factor setup for a user, then that factor is enabled for that user from then on. To use the factor, however, a Sign-On Policy that requires an MFA challenge must be applied to the user. You can create one of these policies from Okta Admin -> Security -> Authentication -> Sign On tab.

     

    Once a valid sign-on policy is in place, your user will be able to use whichever MFA factor they have set up to satisfy the challenge. If they set up multiple optional factors, then they will get to choose which factor they would like to use for the challenge. A user can see what factors they have enabled by going to their Okta Homepage and then clicking on their name, and then Settings.

     

    I hope this helps!

     

    Thank you,

     

    Josh Skeen

    Okta Global Customer Support
    Expand Post

  • JessicaW.72146 (Customer)

    Hi Josh,

     

    Thank you for the answer - it is very much appreciated.  We're actually looking for a way that users could voluntarily "self-enroll" for MFA, as a precursor to us enforcing it via the Sign On policies.  Is that currently possible?

     

    Thanks,

     

    Jessica Wooley
    Expand Post

  • y13l9 (y13l9)

    I would like to know this too, an opt in feature for MFA.

  • TTP.44714 (Customer)

    One thing to do is add a profile field (e.g. "2nd factor opt-in") that would be available for the users to update from their settings page. Then create a group and associated group rule which would automatically populate that group based on the profile field having the desired value (e.g. "Yes"). Then use that group in the various MFA settings. (Of course, you'd have to let your users know that they have to go to their settings to opt in.)

    Expand Post
This question is closed.
Loading
Can users opt-in for MFA if the tenant Multifactor Policy has "Optional" factors?