MFA requirements

This security task ensures that multifactor authentication (MFA) requirements aren't in conflict with Okta Behavior Detection. It also ensures that MFA policy rules aren't bypassed.

These settings appear on the Okta Sign-On Policy Add Rule or Edit Rule page. This combination creates a mismatch between the policy's condition and its action:

Option	Setting
Behavior is	New Device
Users will be prompted for MFA	You've selected one of these options: When signing in with a new device cookie After MFA lifetime expires for the device cookie

Option

Setting

Behavior is

New Device

Users will be prompted for MFA

You've selected one of these options:

When signing in with a new device cookie
After MFA lifetime expires for the device cookie

When users select this security task, recommendations to correct the configuration appear.

HealthInsight task recommendation

Set require factors to ensure that end users assigned to a given policy are enrolled in multifactor authentication.

Okta recommends	Select At every sign in for the Users will be prompted for MFA option on the Okta Sign-On Policy Add Rule or Edit Rule page. See Configure an Okta sign-on policy for instructions.
Security impact	Moderate
End-user impact	None

MFA requirements

HealthInsight task recommendation

Related topics