<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7Va6SAFOkta Classic EngineMulti-Factor AuthenticationAnswered2024-07-22T09:15:32.000Z2018-04-17T18:22:21.000Z2018-08-21T16:18:28.000Z

David Genenz (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
Anyway to list who has MFA actively setup and anyway to force MFA setup?
Hi,

 

We currently have MFA setup with Okta/Radius for VPN access but we're looking to expand that to require MFA when using anything Okta externally.

 

There's a report to show when someone last used or enrolled but they couldn't have (in theory) deactivated it so I'm looking for a definitive list of who does and does not have MFA setup. Is anyone aware of a report or method to determine that?  I'm guessing there's a way in postman but i'm not overly talented with it.

 

Is anyone aware of a way to force MFA setup? I see ways to encourage it but not require it.

 

Thanks in advance for any help or recommendations,

David
  • 6 answers
  • 1.83K views

  • JeffK.91045 (Customer)

    David,

     

    i completely get get what you’re saying. We have deployed MFA as required for all external access as well, but I was having trouble with factor emrollment.

     

    To to resolve this, I informed staff and then 1) made one of the factors required for enrollment (they can still optionally use another one, but ONE has to be required), and then 2) reset all factor enrollments. This FORCES users to re-enroll at their next login, even if they are accessing internally where MFA is not required to login. Also, if any one factor is required, they may unenroll from all but the required MFA. By making one required, they must always have one version enrolled at all times.

     

    I nope this helps.

     

    Jeff

    Expand Post
    Selected as Best

  • tomas.popescu1.5193135132722603E12 (Vendor Management)

    To enforce users to use MFA you can add a policy rule for users accesing okta when their IP is not in zone, as for a list of users using MFA at the moment, will be through APIs, and other option for this is to create a feature request on https://support.okta.com/help/oktaideanew as for the moment only user authenticating with MFA can be shown in the reports. If you require further assistance please open a case with customer support.
    Expand Post

  • j5v7c (j5v7c)

    Hello David,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

     

    Thank you,

     

    Dylann Fezeu

    Okta Help Center Team
    Expand Post

  • David Genenz (Customer)

    Thank you for the responses.

     

    Sorry, I didn't explain the issue with enforcement clearly enough. We've had some security issues with staff being stupid with their credentials. I'm sure everyone's shocked that happens ;). What we'd like to do is force MFA setup immediately just like the secret question/answer and make it mandatory.

     

    Currently, ff staff don't setup MFA but we require MFA externally and that staff person never accesses Okta remotely, they may never configure it. So an unauthorized third party with their username and password could access Office 365 and that unauthorized party could in theory setup MFA to be able to access their account. There's nothing to prohibit an unauthorized third party from getting in unless MFA was already setup. Curious how or if others are addressing this.

     

    Thanks in advance,

    David
    Expand Post

  • eugen.dumitru1.479308827308855E12 (Okta, Inc.)

    Hello David,

     

    You can create app level signon policy to enforce MFA for the specific application, more on MFA  (https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm?Highlight=MFA) and App SignOn policyes (https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm?Highlight=enforce%20MFA) .

    If you need assistance in setting a policy, please create a case with Okta Support.

     

    Best regards,

    Eugen Dumitru.
    Expand Post

  • JeffK.91045 (Customer)

    David,

     

    i completely get get what you’re saying. We have deployed MFA as required for all external access as well, but I was having trouble with factor emrollment.

     

    To to resolve this, I informed staff and then 1) made one of the factors required for enrollment (they can still optionally use another one, but ONE has to be required), and then 2) reset all factor enrollments. This FORCES users to re-enroll at their next login, even if they are accessing internally where MFA is not required to login. Also, if any one factor is required, they may unenroll from all but the required MFA. By making one required, they must always have one version enrolled at all times.

     

    I nope this helps.

     

    Jeff

    Expand Post
    Selected as Best

  • David Genenz (Customer)

    That's exactly what I was looking for. I'm curious how long that's been available... I don't recall it from before lol

This question is closed.
Loading
Anyway to list who has MFA actively setup and anyway to force MFA setup?