End-users can register a new device during the MFA enrollment after login
with primary authentication. Subsequent logins go straight to the option(s) configured
where the user is authenticated by Okta MFA using Push, TOTP, or Yubikey. When the user
enrolls with more than one factor, a drop-down list displays all the factors available
for selection. When the user enters a wrong OTP code, the agent follows the fallback
branch. Depending on the
settings in the Okta console,
Okta locks the user out after unsuccessful attempts.