There are a few places that you need to configure Multifactor authentication(MFA) in Okta. In the Classic UI under Security->Authentication->SignOn. You need to create a new Okta Sign-On Policy, add a rule and make sure the "Prompt for Factor" is checked. You then have the choice of, Per Device, Every Time, Per Session. You select one of these depending on your security requirements. This selection is important as it may conflict with the application MFA settings.
You'll also need to go to Security->Mulitfactor->Factor Enrollment and create a new policy or edit the default and ensure that you have atleast one Eligle factor as 'required'. I'd suggest starting with SMS. Make sure that you have the appropriate groups assigned as well. To start maybe just assign "everyone" and then widdle down after you get it working.
Next you need to configure multifactor for the application. Go to Applications->Applications and select your application. Then select the "Sign On". At the bottom of the page you need add a rule that will allow for MFA. After giving your access rule a name and adding any other required restrictions, you'll need to add an access rule, check off the "Prompt for factor" and select how often you want the user to be asked for another multifactor. This is the part that is tricky, if you selected Per device in the above and then here select "once a month", it possible that it won't work at all or that you get authenticated and then get this error a month later again. In my opinon to have two combination choices.
1) "Every Time" and a "Once a day/week/month" option
or
2)"Per Device" and then "Only once"
This is what I found anyway. Whatever you do don't do what I did....Select "Every time and one month", get authenticated and then comeback and change the Authentication to "per Device" and then get the error a month later after you've completely forgetten how it was configured
