JosephC.41528 (Customer) asked a question.
Authenticator enrollment policy clarification
I am reading the documentation and it seems pretty straightforward, but I am not clear on the policy definition UI.
What is the purpose of the dropdown next to each eligible authenticator where the options are required, optional or disabled?
In what way do those three options manifest for users?
As far as I understand, either the password (and recovery) policy, or, an application policy must require a given authenticator for it to be presented to the user and be made available for enrollment.
How would disabling an authenticator in the enrollment policy produce a variation in the users experience?
Hi Emiliano Fiorentino ,
Eligible authenticator section in enrollment policies shows the list of enabled authenticators for your org. Required /Optional /Disabled options helps you to choose the authenticators from the available list for that particular group.
Setting Optional allows users to enroll to either of one or all the enrollment factors depending on their discretion.
If there are multiple enrollment factors set to Required, then the users must enroll to all of the options, without skipping any. But, for the next sign in, the user can choose either of enrollment factor to authenticate for the MFA.
The enrollment factor condition "OPTIONAL" acts as "REQUIRED" if there is only one enrollment factor configured, which enforces user to enroll to the factor.
When you disable an authenticator in a policy, end users will no longer be able to select that authenticator when signing in regardless of whether they were enrolled in that authenticator before.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.