How does Yokohama or later release apply multifactor authentication (MFA) ?SummaryIf a user isn't prompted with a MFA screen, please follow this troubleshooting guideline: Check if MFA has been enabled (i.e. glide.authenticate.multifactor property is set to true ) Check if MFA auth policy has been enabled (i.e. glide.authenticate.auth.policy.enabled is set to true ). If this isn't enabled then the MFA context specified policies will be ignored. Ensure the MFA context (/sys_mfa_policy_context.do) policy's policy conditions are met. 4. Ensure the policy criteria are met in the policy condition (/sys_auth_policy_condition.do) 5. [optional] Take a look at the execution order of Adaptive Authentication properties. It lists out a set of system properties that are executed in a particular ranked order. The following system properties are something that you should keep an eye on and some of them have already been discussed in the above points: glide.authenticate.auth.policy.enabledglide.authenticate.preauth.allow.trusted.deviceglide.trusted.device.max.countglide.preauth.device.trust.skip.user.registrationglide.authenticate.policy.debugglide.authenticate.debug.allow.trusted.deviceglide.authenticate.global.blocking_policy.error_codeglide.authenticate.global.blocking_policy.error_messageglide.auth.policy.ui.error.messagesession.validation.enabled If you are still unsure, make sure you toggle on the glide.authenticate.policy.debug system property and toggle certain other properties mentioned on the MFA troubleshooting document (if needed). Instance logs is your best bet to find out which policy criteria/condition is preventing the user from viewing the MFA screen or in fact interfering with their login flow (as would be the case in customers reporting login issues). Ensure you obtain their transaction ID (txid) from their response header to /$login.do request. The following flow-chart should provide you with an idea of the login flow of a user in Yokohama (or later) release: