diff --git a/builtin/credential/okta/backend.go b/builtin/credential/okta/backend.go
index e91d6635878a..ad96013a7782 100644
--- a/builtin/credential/okta/backend.go
+++ b/builtin/credential/okta/backend.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/chrismalek/oktasdk-go/okta"
+	"github.com/hashicorp/vault/helper/mfa"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -22,6 +23,8 @@ func Backend() *backend {
 		Help: backendHelp,
 
 		PathsSpecial: &logical.Paths{
+			Root: mfa.MFARootPaths(),
+
 			Unauthenticated: []string{
 				"login/*",
 			},
@@ -36,8 +39,9 @@ func Backend() *backend {
 			pathGroups(&b),
 			pathUsersList(&b),
 			pathGroupsList(&b),
-			pathLogin(&b),
-		}),
+		},
+			mfa.MFAPaths(b.Backend, pathLogin(&b))...,
+		),
 
 		AuthRenew:   b.pathLoginRenew,
 		BackendType: logical.TypeCredential,
diff --git a/website/source/docs/auth/mfa.html.md b/website/source/docs/auth/mfa.html.md
index 46617e1c565d..4e61f9130643 100644
--- a/website/source/docs/auth/mfa.html.md
+++ b/website/source/docs/auth/mfa.html.md
@@ -12,7 +12,7 @@ Several authentication backends support multi-factor authentication (MFA). Once
 a backend, users are required to provide additional verification, like a one-time passcode,
 before being authenticated.
 
-Currently, the "ldap", "radius" and "userpass" backends support MFA.
+Currently, the "ldap", "okta", "radius", and "userpass" backends support MFA.
 
 ## Authentication