eninv (eninv) asked a question.
MFA Enrolment Policy - Query in OKTA classical engine
Can some please explain me what does the below two policies say, while enrolling the rule in MFA
- Enroll Multifactor: Use the dropdown menu to enforce the following two options:
- The user must enroll in the multifactor option during their initial sign-in to Okta.
- The user can enroll when first challenged for an MFA option.
Bit confusing and seems both the rule conveys the same meaning
Video illustration would be more convenient
Hi,
For more context on a potential use case see NIST's Authenticator Assurance Levels see https://sec.okta.com/articles/2023/03/setting-right-levels-assurance-zero-trust
The first time a user signs in - regardless of what application is being accessed and what MFA requirements that application has, the user will be prompted to enroll in MFA based on the Multifactor Policy their account matches.
The first time a user is challenged for MFA - if the Okta Dashboard or application the user is accessing does not require MFA, then the user will not be forced to enroll.