When a default second factor (e.g., SMS OTP) is configured in the Tenant Settings (Service Configuration), the setting is not always honored.

Steps to Reproduce:

1. Configure an Authentication Policy with multiple 2nd factor options (e.g., SMS OTP and Email OTP).
2. In Tenant Settings, set "Security code by SMS" (SMS OTP) as the default.
3. A user logs in and is presented with the default SMS OTP but selects Choose another option and successfully authenticates using Email OTP.
4. The user signs out.
5. The user logs in again using the same browser.

Expected Behavior: The user is prompted with the default factor (SMS OTP) as defined in Tenant Settings.
Actual Behavior: The user is immediately prompted with Email OTP, bypassing the tenant-wide default.

IDSP (formerly VIP Authentication Hub)

This behavior is by design in the current implementation of the SignIn UI. The system uses a cookie named __Secure-ob-XXXX to store the user's last successful authentication preference. The intent is to improve the user experience by reducing the number of clicks required for subsequent logins. Currently, this browser-side cookie preference takes precedence over the server-side Tenant Settings.

This issue has been identified as a requirement for additional administrative control. A formal enhancement request has been created to provide a configuration parameter that allows administrators to disable this cookie-based persistence or ensure Tenant Settings always take priority.

Enhancement Reference: F165585 (formerly DE667679).

Workaround

Users can manually update their stored preference by following these steps:

1. On the authentication screen, select Choose another option.
2. Select the desired default factor (e.g., SMS OTP).
3. Complete the authentication flow successfully.

The __Secure-ob-XXXX cookie will be updated with this new preference, and the user will be prompted with this factor on their next login attempt in the same browser session.