Allow users to self-enroll in MFA

Under Security -> Multifactor -> Factor Enrollment, I have set two factors as optional, and I have a rule set to enroll users the first time they are challenged for MFA.

I also have an app-level sign on policy to challenge users for MFA once per session.

This means users are required to complete MFA enrollment for one of the two factors at the start of their next session. What I want to do is allow users to choose whether or not they’d like to enroll in MFA at all. I.e. allow users to optionally self-enroll. How can I do this?

So what’s the behavior you currently see after setting up policies, like you explained? Are you not presented with the screen to select MFA?

Yeah currently users are presented with the screen to enroll in MFA. But this enrollment is mandatory. What I’d like to do is present the screen to enroll in MFA, but have it be optional. That way users can optionally self-enroll in MFA.

But if you set the policy to enroll in MFA the first time they are challenged, you can’t avoid enrolling. I’m still struggle to understand the use case.

If your users are not enrolled forcibly b/c of the policy, they can enroll in self-service section, after they log into Okta.

Oh yeah, we aren’t exposing the self-service section to users. I guess we would just need to implement a custom enrollment flow using the APIs

1 Like