lhdcs (lhdcs) asked a question.
How to require exactly one additional factor from a set of options
I would like to require my users to configure one factor from a list of possibilities - for example, either Okta Verify or Google Authenticator. If I set both of these to required, the enrollment screen seems to require the first one to be configured without allowing the user to select the second instead. If only one is required and the other is optional, then only the required one appears at all.
So,
- How do I allow users to choose between two options?
- More generally, what does it mean to have more than one "required" factor? None of the docs address this.
Hello @lhdcs (lhdcs),
Okta MFA enables your IT admin to customize security settings based on risk profile; this could mean that your company may only require a second factor in circumstances where extra protection is necessary, rather than at every login. For example, if you’re logging in from a new location or device, you may be prompted to provide another factor.
Your administrator will decide which factors you can set up.
From the Admin Console, navigate to Security > Multifactor > Factor Enrollment to set the enrollment policies for the factors you have already activated for your users.
Verify that the factors in at least one-factor chain is marked as required for enrollment. For example, by defining the following two-factor sequences in your sign on policy:
a. SMS and Okta Verify
b. Okta Verify and Security Questions
Your end-users are required to enroll in the sequenced factors (a) or (b) for successful authentication to take place.
Regards,
Natalia
Okta Inc.
This is missing the point. What if an administrator requires a person to select one of two (or in my case four) possible MFA options? How do you require MFA without requiring just one particular MFA factor when several will do just as well.
@ChrisB.59763 (Customer) you are correct that the answer was off target. It turns out that if you have multiple factors all marked optional, then it will achieve this result - MFA is required, but the user is free to use any of the factors. This is very unclear in the documentation, but this is how the system behaves (as @b5n6c (b5n6c) correctly says in their answer).
Hi Beau Cronin,
To empower the users with the privileges of choosing the MFA enrollment of their choice, you need to set both the enrollment factors condition as "OPTIONAL". This allows users to enroll to either of one or both of the enrollment factors depending on their discretion.
If there are multiple enrollment factors set to "REQUIRED", then the users must enroll to all of the options, without skipping any. But, for the next sign in, the user can choose either of one enrollment factor to authenticate for the MFA.
The enrollment factor condition "OPTIONAL" acts as "REQUIRED" if there is only one enrollment factor configured, which enforces user to enroll to the factor.