ChrisB.59763 (Customer) asked a question.
I have enabled Okta Verify with Push, Google Authenticator, FIDO2 Security Key, and Yubikey OTP MFA factors. I want to require users to register any one or more of these and then sign on with a password and any previously registered MFA Factor. How do I set this up? I don't want to require all four factors, nor can I allow for just a password-based login.
Hi Chris,
Navigate to the below Steps:
Admin Console >Security > MultiFactor>Factor Types (From there activate the required factor types)>Factor Enrollment > Add Multifactor Policy
2.Optional
3. Disable
· If you set the enrollment factor type to Optional allows users to enroll to either of four or all the enrollment factors depending on their discretion. The enrollment factor condition Optional acts as Required if there is only one enrollment factor configured, which enforces user to enroll to the factor.
· For the user who are already enrolled they will continue as such if all the factors are Optional. If two or more factors are Set as Required, then he has to enroll to the new factors.
· If you set more than 2 factors as Required then the users must enroll to all the options, without skipping any. But, for the next sign in, the user can choose either of one factor type to authenticate for the MFA.
The thing is I don't want to make any of the factors required because I have some users that don't have a smartphone. They will be using a USB Key. Those are two expensive for all users. So I don't want to require any of the four factors I have activated but they do need tol use One of them. Also some users will have multiple factors so there is a backup (admins will use Okta Verify with the USB Key as a backup). I don't think what is depicted in this screen covers that use case unless I am missing something. Every user must register at least one factor but I don't want to be in the business of mandating which one that is.
Hi Chris Bortz,
In your case, you need to set all of the enrollment factors as "OPTIONAL", which enforces users to enroll to either of one enrollment factor or all of them depending on their choice. To put it in other words, you will let users have the privilege of choosing the enrollment factor of their choice by setting all the enrollment factors as Optional.
At the same time, this configuration will allow the users with already registered enrollment factor to continue without enrolling to other factors, multiple times in a row.
But now what Sign-On policy should I write that will require the user to use their selected MFA factor whichever that happens to be?
Sign-On policy doesn't have the settings to choose the type of MFA to be prompted for the end user; rather has the various conditions such as IP address, risk factor, behavior, etc. Based on the evaluation of these factors configured, the access is allowed or denied to the end user.
You can configure the frequency, the session and the factor lifetime of the MFA that is prompted for the user.
It turns out that if you set a rule in the applicable Sign On Policy to with Authentication as Password + Any IDP/Any Factor that this will force the user to sign in one of their configured MFA factors in addition to their password.
Glad to know that you were able to fix the issue. Yes, If you are using Identity Engine then there are new option included like password + another factor or you can choose any one factor type. (Okta Verify or Password or Phone or Security Question**) etc.. Classic engine allowed additional factor to enabled/disabled. However, both the case the factor type applied from enrolment policy where defined and assign to the group.
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
May Okta Community Buzz
Stay ahead of the curve with Okta for AI Agents, new Okta Learning live sessions and labs, shout-outs, and top trending topics—all aimed at enriching your Okta journey.
It turns out that if you set a rule in the applicable Sign On Policy to with Authentication as Password + Any IDP/Any Factor that this will force the user to sign in one of their configured MFA factors in addition to their password.