You will also need to check the Global Session Policy under Security. It may be enforcing MFA there. Global Session Policy can be configured to "Any authenticator to satisfy the requirements" that will leverage the authentication policies only. Think of it as 2 layers; Global Session Policy, then Authentication Policy.

I hope that helps! Here's some reference material: https://developer.okta.com/docs/guides/configure-signon-policy/main/

Thanks, Harry, for your response. The Global Session Policy already had “Any authenticator to satisfy the requirements” and the MFA was set to ‘Not required’ as shown in the attached screenshot.

I attempted to switch the ‘Establish the user session with’ to ‘password’, the Password field was displayed on the Sign-in page but after entering the credentials, MFA Okta Verify step was still displayed.

Here’s a screenshot of a non-admin user requesting MFA Okta Verify step.

It appears that there is only one default policy in the Authenticators -> Enrollment -> Default Policy section (screenshot attached). The default policy indicates that ‘Okta Verify’ is an optional step. However, as shown in the earlier screenshot, a non-admin user cannot proceed unless they configure the Okta Verify. The earlier screenshot also shows a ‘Required now’ label for the Okta Verify step!

Yes, users sign into the Okta dashboard application and then launch a custom app (application tile from the dashboard) assigned to them, as shown in the screenshot.

If I update the Okta dashboard app, I believe it will also apply to Admins. However, removing the MFA factor for Admins would make the tenant unusable.

Harry, I appreciate your assistance in guiding me through this problem.

So, I created two rules: one for Okta Administrators and the other for Non-Okta Administrators.

After applying the rule, Non-Okta Administrators users are now able to log in using their passwords. 🎉

However, the Admin is unable to log in. 😞

Fortunately, I have an API token, and the Admin session is still active. Could you please review these policies and let me know what I need to do to enable the Admins to log in?

I didn’t update the Catch-all rule. For completeness, I’ve attached the complete page screenshots.

Thanks in advance.

It looks like you're requiring Okta FastPass for Admins. However, it may not be enabled under Authenticators -> Okta Verify (Edit) -> Check Okta FastPass Box. Hence the "unable to sign in" error.

Either enable Okta FastPass under authenticators, OR change the Admin rule to allow Okta Verify Push/TOTP and you should be good to go!

Ah, I see why you asked me to check this step. However, the ‘Okta FastPass Box’ was already enabled in the /admin/access/multifactor section.

I also enabled the ‘Push notification (Android and iOS only)’ option.

I’m not sure if simply re-saving the authenticators resolved the issue or if adding the ‘Push notification (Android and iOS only)’ option was the solution. Regardless, the problem has been resolved 🙏

• Admin login - showed password and Okta verify Push flow
• Non-admin login - showed only password flow

I have a different sub-question, if you could enlighten me on this too:

• In the 'Catch-all Rule', 'Allowed with any 2 factor types' shows all these options: Password or Okta Verify - Push1 or Okta Verify - FastPass1
• But in the 'AdminOnly2FA', 'Allowed with any 2 factor types' shows only 'Password or Okta Verify - FastPass'.

Why does the 'AdminOnly2FA' show different 2 factor types when compared to the 'Catch-all Rule'?