Problem with security question as authenticator

Hi,

I am testing, and I have seen some change from before and now, before I let me put the security question and everything was correct, provided that the global session policy had the password as the first factor, and in the authentication policy as password plus any other factor, okta verify or security question, before this worked fine, now you must see some change, as it jumps the security question and forces me to configure okta verify even having it as optional factor, which I do not understand. I leave my settings, I do not know if something has changed from before or my feeling is that no longer lets you use the security question as a second factor, if not as an additional factor but always need another, if you can help me confirm this, thanks.

Even before I could have disabled okta verify on enrollment and it didn’t fail, now it gives “Access has been denied because the policy requirements could not be satisfied by the users’ current set of available authenticator enrollments” error if I disable that factor.

The behavior is not as this document says, it lets you choose and if you choose security question, it should let you pass, but it forces me to put okta verify:

https://support.okta.com/help/s/article/Enabling-Security-Question-as-a-Second-Authenticator-in-Okta-OIE-Okta-Identity-Engine-Best-Practices-and-Implementation-Steps?language=en_US

Hi dmartinez!

This is really a configuration question instead of a developer question, it may have been better to post it to one of the authentication discussion groups in the okta communities: Okta Help Center (Lightning).

Anyways, I teach this for Okta so it piqued my curiosity and I set up a quick test, It works exactly as I would expect it too. I have to answer the security question after the password to get in. So, no un-documented, recent changes there.

To get kicked out without having to provide it can only happen under specific circumstances. My best guess is that the user may not have the security question set, and the enrollment policy doesn’t allow enrollment from where the login is happening? I did check this too, and the engine is pretty smart and it hasn’t changed. If you require MFA and the user doesn’t have MFA, and they are allowed to enroll, then they are forced to enroll before they can get in even if the enrollment policy doesn’t have any required authenticators.

There are so many other things that could go wrong: the enrollment policy my not apply to the user, the authentication policy rule might not apply to the user…

Joel