MFA requirements
This security task appears when users select the following settings on the Okta Sign-On Policy Add Rule or Edit Rule page:
| Option | Setting |
| Behavior is | New Device |
| Users will be prompted for MFA |
When signing in with a new device cookie or After MFA lifetime expires for the device cookie |
This combination creates a mismatch between the policy's condition and its action.
This security task helps users ensure that the MFA requirements configured by the admin aren’t in conflict with Okta’s Behavior Detection functionality, and that the MFA policy rule isn’t bypassed unintentionally. See About behavior detection.
When users select this security task, recommendations appear for correcting the configuration.
HealthInsight task recommendation
Set require factors to ensure that end users assigned to a given policy are enrolled in multifactor authentication.
| Okta recommends |
Select At every sign in for the Users will be prompted for MFA option on the Okta Sign-On Policy Add Rule or Edit Rule page. See Configure an Okta sign-on policy for instructions. |
| Security impact |
Moderate |
| End-user impact |
None |
Related topics
HealthInsight tasks and recommendations