<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007hZ8q1CACOkta Classic EngineMulti-Factor AuthenticationAnswered2022-10-02T18:54:33.000Z2022-06-07T19:56:11.000Z2022-06-08T17:17:23.000Z

RohitK.80500 (Customer) asked a question.

June 7, 2022 at 7:56 PM
Truly Optional MFA

Hi!

 

The scenario I am trying to implement is that we want our users to be able to use MFA is they so desire, but not have it as a required feature. I have configured two factors and they are both optional. This enables me to allow users to sign up for MFA if they so desire. However, when they try and login, I expect an MFA prompt to be shown which it doesn't if my Sign On policy rule does not have "Prompt for Factor" enabled.

 

This makes sense, however, when I do enable it, now even users who have not signed up for MFA, and don't wish to, are forced to sign up for MFA to continue logging in.

 

Is there a feature/workaround that I can have truly optional MFA. Basically if the Sign On policy rule had an option : "Prompt MFA if MFA is set up for the user"

 

One option I can think of is that any person who enrolls in MFA will need to be manually added to a group that has a different Sign On Policy that prompts for MFA compared to any normal user who is not signed up for MFA.

 

I have looked through the help docs as well as some previous posts in this community but none of them have been able to answer this question:

 

Any help will be appreciated.

  • 1 answer
  • 749 views

  • flaviu.vrinceanu1.5628408972654734E12 (Customer Success Service Delivery)

    Hi @RohitK.80500 (Customer)​,

     

    Thank you for posting on the Okta community page!

     

    I have done some research on my end and it seems that currently there is no such functionality in which you would provide to users the ability to select if they want to sign in with MFA or not. A workaround would be to create 2 groups (one with users that need to authenticate with MFA and one with users that do not have to) that would be assigned to 2 different Sign On policies where one policy will require MFA and the other one that will not.

     

    If you would like to see such functionality in Okta the best route to pursue this is via a feature request. The best way to file feature requests would be from the community site.

     

    Once feature requests are submitted they are visible to other Okta admins, who can vote on them to provide more visibility. Using this method will allow you to maintain visibility on your feature requests throughout the process.

    Expand Post
This question is closed.
Loading
Truly Optional MFA