Allow users to self-enroll in MFA

Under Security -> Multifactor -> Factor Enrollment, I have set two factors as optional, and I have a rule set to enroll users the first time they are challenged for MFA.

I also have an app-level sign on policy to challenge users for MFA once per session.

This means users are required to complete MFA enrollment for one of the two factors at the start of their next session. What I want to do is allow users to choose whether or not they’d like to enroll in MFA at all. I.e. allow users to optionally self-enroll. How can I do this?

So what’s the behavior you currently see after setting up policies, like you explained? Are you not presented with the screen to select MFA?

Yeah currently users are presented with the screen to enroll in MFA. But this enrollment is mandatory. What I’d like to do is present the screen to enroll in MFA, but have it be optional. That way users can optionally self-enroll in MFA.

But if you set the policy to enroll in MFA the first time they are challenged, you can’t avoid enrolling. I’m still struggle to understand the use case.

If your users are not enrolled forcibly b/c of the policy, they can enroll in self-service section, after they log into Okta.

Oh yeah, we aren’t exposing the self-service section to users. I guess we would just need to implement a custom enrollment flow using the APIs

1 Like

I actually found a way to do this without implementing the custom enrollment flows via API. Basically, you need to enable app-level MFA first. If you’re using the okta-hosted signin widget there’s nothing special for you to do in code. You just have to add an app-level MFA sign on policy. But if you have a custom signin widget, then use the solution described here.

Once that’s done, create a new group, call it something like Users_SMS_OptIn. Then create a new Multifactor enrollment policy and assign it to that group. Add SMS Auth as a required factor, all other factors disabled. Add a policy rule where users are prompted to enroll on first challenge. Now add an app sign on policy that is only applied to users in the Users_SMS_OptIn group. The policy should require multifactor at whatever interval you choose. Finally, you need to create a custom web page where users can go to in order to opt in to MFA. This will have to be built custom since it’s not supported by the signin widget. When users click opt in you need to make a backend API call to Okta to add them to the Users_SMS_OptIn group. Then on their next login they will be prompted for factor enrollment. To opt out, make two API calls to remove them from the group and then reset their MFA factors.

This solution does still require some custom code but it’s much simpler than trying to implement the MFA enrollment flows by hand. You still leverage the widget’s built in support for MFA factor enrollment and prompting.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.