Removing two factor authentication best practices?

We are putting our app behind Okta and I’m working on adding and removing two factor auth from users accounts. My coworker implemented removing TFA by removing the user from a group the requires TFA. I found a bug related to that where he assumed the user has TFA is their list of factors is not empty. I’m wondering if there is a best practice for removing TFA. Is deleting the factor from the user account better by any means or is keeping it around not a problem even though it stays there and the status field does not change from being active from what I’ve seen. Thanks for any help!

Hi @jschindler! You can remove MFA under: 1. MFA > Factor Enrollment AND 2. Authentication > Sign-On Policy. If you run into issues, I recommend opening a support case - Okta Help Center (Lightning) with this issue. One of our Support Engineers will be happy to assist you further.

1 Like

Thanks! I definitely don’t have a problem here, I was just wondering if there was a best practice when doing it programmatically via the sdk. You can either remove them from the TFA group or delete that factor from what I know.