<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y000091LOtxSAGOkta Classic EngineLifecycle ManagementAnswered2026-04-01T09:00:20.000Z2020-07-28T15:44:51.000Z2020-07-29T21:46:00.000Z

biiqb (biiqb) asked a question.

July 28, 2020 at 3:44 PM
MFA - Removal and Adding new Factors

Hi All,

 

There are a couple of things we are looking to do

 

  1. We are looking to remove Email as Factor of Authentication from the MFA process. How do you enforce users from moving away from this factor? Would disabling at enrollment and deactivating this factor be sufficient?
  2. A user has enrolled and activated their account and setup MFA (Security question and Text SMS) during activation. Now, the user would like to add a new factor (okta verify). However, the MFA step nor the profile allows them to sign up for new factors. Any suggestions of how this can be achieved?

 

Best

 

Sashi Sivakumar

  • 5 answers
  • 1.58K views

  • k5fuw (k5fuw)

    As soon as you disable a factor in a factor enrollment policy, that factor will disappear from the available factor list of anyone that has already enrolled in it. In your example, the user would see only Security Question at the next MFA prompt, and when editing his profile, he would be able to enroll in SMS.

     

    Selected as Best

  • sara.prell1.5433806098919912E12 (Regional Customer Success, Northeast)

    Hi Sashi,

     

    I'm a CSM here at Okta. Hopefully my answers below can be of assistance.

     

    1. You must disable the email factor in all of your policies before marking the factor itself an inactive. When your users sign in following this change, you will likely want them to enroll in a different factor. To do so, ensure that other factors you select are activated as factors, that they are included as either optional or required in a policy, that your policies are stacked in order, and that a rule is applied to the policy that denotes when you'd like the user to enroll in the factor(s).
    2. For new users, enrolling in Okta Verify is detailed here: https://help.okta.com/en/prod/Content/Topics/Mobile/okta-verify-setup-new.htm. End users can only register one device with Okta Verify at a time. To register a new device, end users must reset their Okta Verify account and then open Okta Verify to add and register their new device. Otherwise, I would recommend ensuring that the factor is marked as required or optional and the rule details when the enrollment should occur (first log in, first MFA prompt, do not enroll.)

     

    Here is some documentation that should assist: https://help.okta.com/en/prod/Content/Topics/Security/MFA.htm

    Also, if you ever need assistance providing direction directly to end users, don't forget our End User Toolkit is available and full of reference materials and templates: https://support.okta.com/help/s/end-user-adoption-toolkit

    Please let me know if this information was of use!

     

    Best,

    Sara

    Expand Post

  • biiqb (biiqb)

    Thank you so much for your response Sara. On point 1, have a further question.

     

    Lets say, User 1 is enrolled into both Security Questions and Email as factors. I am then disabling email as a factor to be enrolled (and enabling lets say SMS and making it optional). Will this apply only for future enrollments? Will user 1 see Email as an option when he logs in next time? If so, any way i can ensure he does not see it?

     

    Best

     

    Sashi Sivakumar

     

     

    Expand Post

  • sara.prell1.5433806098919912E12 (Regional Customer Success, Northeast)

    Hi Sashi,

     

    While I'm not an engineer, I did test this out in my test instance. If you disable a factor it should not be available, even if it had previously been used. I'd make sure that you have your users enrolled in a second factor at least and let them know that email will be removed as an option. You can even make email optional for a short time before totally disabling it if you want to ensure everyone is sufficiently enrolled. I'd test it out in your test instance too, but that is what I found from playing around with the policies and enrollment!

     

    Best,

    Sara

    Expand Post

  • k5fuw (k5fuw)

    As soon as you disable a factor in a factor enrollment policy, that factor will disappear from the available factor list of anyone that has already enrolled in it. In your example, the user would see only Security Question at the next MFA prompt, and when editing his profile, he would be able to enroll in SMS.

     

    Selected as Best

  • biiqb (biiqb)

    Thank you so much Sara and Mike! I will test this out.

This question is closed.
Loading
MFA - Removal and Adding new Factors