End-users can register a new device during the MFA enrollment. The first
time the user attempts access (and is not yet enrolled), the system presents a list of
factors available for enrollment. Push and TOTP variations of Okta Verify are displayed
as a single factor. The user can enroll in both Push and TOTP with a QR code, e-mail, or
text message; the user can enroll in TOTP only by entering a secret code manually.
When the Push factor is enrolled (or verified), the system polls the Okta
server until the user accepts the notification in the Okta Verify app. The time the user
has is limited by the
in per-request policies. Successful enrollment allows the access policy to continue
execution past the Okta MFA agent; there is no additional factor verification right
For the Yubico OTP factor, the administrator has to first register the Yubikey in the
Okta org account. To enroll in the Yubico OTP factor, the user must use the Yubikey
device to generate the passcode.
When the user is enrolled in more than one factor, a factor list is displayed so the user
can select and verify one of them.
If a user enters an incorrect OTP code three times in a row,
Okta locks the user out and the agent follows the fallback branch.