MFA set for previous trial gets persisted and prevents user from selecting a different MFA method

I have multiple MFA methods configured and using a custom UI, I am trying to do the 2 factor authentication by invoking Okta idx APIs.
In the first step, I invoke authenticate() API with valid credentials for username and password.
In the next step, when my custom UI selects an MFA method,(say Google authenticator) from a drop down, I invoke the Okta API proceed() to set the authenticator as that of google authenticator and then verifies successfully.
But, in my next trial when I enter the user name and password and invoke the authenticate() API, the transaction response seems like the authenticator option is already set as the Google Authenticator.
How can I change it?
I have tried invoking idx.cancel() to clear the previous state. But, still it persists the authenticator key in the nextSteps of that transaction response.
Please suggest on how to clear the authenticator selected, on trying to authenticate for the second time.


Okta has behavior to select last used factor by default. This typically is stored in a cookie and will be remembered for a month. There is no setting as an admin to change this behavior. This article explains how it is done.

You can probably check all the remediation steps returned. This typically has select-authenticator-authenticate along with challenge-authenticator remediation step.

So you have couple of choices now, either proceed and verify with Google Authenticator or select a new one by sending a new .proceed({ authenticator: 'different authenticator'}) call. For example,

let idxResp = await oktaAuth.idx.proceed({ authenticator: AuthenticatorKey.OKTA_PASSWORD });
let idxResp = await oktaAuth.idx.proceed({ authenticator: AuthenticatorKey.PHONE_NUMBER, methodType: 'sms' });

1 Like

Thanks for sharing the workaround. :+1:

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.