00uqk862hpGNFTTVY351.5651142452343206E12 (Customer) asked a question.
Prompt for MFA if setup, otherwise do not prompt
We are implementing an Okta login page for our web application. Some users will have MFA setup and others will not. For this application we want MFA to be opt-in. We do not plan to enforce it for all users.
I have spent quite some time messing with MFA policies and sign on policies to try and achieve this but it is not cooperating. In order for a user to see an MFA prompt they have to be in a group that forces MFA.
Is there a way to configure this so that only users with MFA setup will be prompted to use it for logging in, and users without any MFA setup will not be required to set it up, but can do so optionally from their settings later?
We have achieved a similar thing for holistic MFA on select accounts, but not for a specific application. A similar approach might work for you still.
Try creating a new read/write attribute in your directory profile. Call it 'MFA Opt-in' for example. If you allow this to be read/write for end users, then they can manually set this to true/false from their profile settings. In our case its a 'string' attribute that acts as a drop down list for True/False ('yes'/'no' being the attribute members).
With that attribute, you can create an associated group and rule called something similar such as 'MFA Opt-in'.
With this group, you can then create a sign-in policy (in our case its an authentication sign-on policy) that requires MFA for the 'MFA Opt-in' group.
End-users can opt-in/out by flicking the binary attribute.
Hope that makes sense.