diff --git a/README.md b/README.md
index 0b24bd9..60cd739 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
+# Tokendito
+
 <p align="center">
   <img src="https://raw.githubusercontent.com/dowjones/tokendito/main/docs/tokendito.png"/>
 </p>
@@ -26,11 +28,19 @@ tokens into your local `~/.aws/credentials` file.
 
 See [Releases](https://github.com/dowjones/tokendito/releases) for a detailed Changelog.
 
+### Tokendito 2.4.0
+
+Version 2.4.0 of Tokendito introduces the following new features:
+
+- Add support for Okta question MFA.
+- Many bug fixes and contributions.
+
 ### Tokendito 2.3.0
 
 Version 2.3.0 of Tokendito introduces the following new features:
 
 - Basic OIE support while forcing Classic mode.
+- Support for saving the Device Token ID for later reuse.
 - Misc bug fixes
 
 Note: This feature currently works with locally enabled OIE organizations, but it does not for Organizations with chained Authentication in mixed OIE/Classic environments.
diff --git a/docs/README.md b/docs/README.md
index b594179..c706b34 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -74,7 +74,8 @@ tokendito --profile engineer
 usage: tokendito [-h] [--version] [--configure] [--username OKTA_USERNAME] [--password OKTA_PASSWORD] [--profile USER_CONFIG_PROFILE] [--config-file USER_CONFIG_FILE]
                  [--loglevel {DEBUG,INFO,WARN,ERROR}] [--log-output-file USER_LOG_OUTPUT_FILE] [--aws-config-file AWS_CONFIG_FILE] [--aws-output AWS_OUTPUT]
                  [--aws-profile AWS_PROFILE] [--aws-region AWS_REGION] [--aws-role-arn AWS_ROLE_ARN] [--aws-shared-credentials-file AWS_SHARED_CREDENTIALS_FILE]
-                 [--okta-org OKTA_ORG | --okta-tile OKTA_TILE] [--okta-mfa OKTA_MFA] [--okta-mfa-response OKTA_MFA_RESPONSE] [--use-device-token] [--use-profile-expiration] [--quiet]
+                 [--okta-org OKTA_ORG | --okta-tile OKTA_TILE] [--okta-client-id OKTA_CLIENT_ID] [--okta-mfa OKTA_MFA] [--okta-mfa-response OKTA_MFA_RESPONSE]
+                 [--use-device-token] [--use-profile-expiration] [--quiet]
 
 Gets an STS token to use with the AWS CLI and SDK.
 
@@ -111,9 +112,9 @@ options:
                         Okta tile URL to use.
   --okta-client-id OKTA_CLIENT_ID
                         For OIE enabled Orgs this sets the Okta client ID to replace the value found by tokendito. It is used in the authorize code flow.
-  --okta-mfa OKTA_MFA   Sets the MFA method
+  --okta-mfa OKTA_MFA   Sets the MFA method. You can also use the TOKENDITO_OKTA_MFA environment variable.
   --okta-mfa-response OKTA_MFA_RESPONSE
-                        Sets the MFA response to a challenge
+                        Sets the MFA response to a challenge. You can also use the TOKENDITO_OKTA_MFA_RESPONSE environment variable.
   --use-device-token    Use device token across sessions
   --use-profile-expiration
                         Use profile expiration to bypass re-authenticating
diff --git a/pyproject.toml b/pyproject.toml
index 9d131ff..d77300e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -7,7 +7,7 @@ exclude_lines = [
     "break",
     "except KeyboardInterrupt:",
     "if __name__ == .__main__.:",
-    "if __package__ is None:",
+    "if not __package__:",
     "logger.debug",
     "pragma: no cover",
     "print..Invalid input, try again...",
diff --git a/tests/unit/test_okta.py b/tests/unit/test_okta.py
index 4bddcd5..bcb7826 100644
--- a/tests/unit/test_okta.py
+++ b/tests/unit/test_okta.py
@@ -73,6 +73,7 @@ def test_bad_session_token(mocker, sample_json_response, sample_headers):
             {"_embedded": {"factor": {"factorType": "push"}}},
             345,
         ),  # Changed expected value to 2
+        ("OKTA", 321, {"_embedded": {"factor": {"factorType": "question"}}}, 321),
         ("GOOGLE", 456, {"_embedded": {"factor": {"factorType": "sms"}}}, 456),
     ],
 )
@@ -543,13 +544,16 @@ def test_create_authz_cookies():
     """Test create_authz_cookies."""
     from tokendito import okta
 
-    pytest_oauth2_session_data = {"state": "pyteststate"}
+    pytest_oauth2_session_data = {"state": "pyteststate", "nonce": "pytestnonce"}
 
     pytest_oauth2_config = {
         "client_id": "123",
         "org": "acme",
         "authorization_endpoint": "pytesturl",
         "token_endpoint": "tokeneurl",
+        "nonce": "pytest",
+        "issuer": "pytest",
+        "ln": "pytest",
     }
     assert okta.create_authz_cookies(pytest_oauth2_config, pytest_oauth2_session_data) is None
     from tokendito import okta
@@ -637,6 +641,9 @@ def test_get_authorize_code():
     response.url = "https://example.com?code=pytest"
     assert okta.get_authorize_code(response, "sessionToken") == "pytest"
 
+    response.url = "https//example.com?error=login_required"
+    assert okta.get_authorize_code(response, None) is None
+
 
 def test_authorization_code_enabled():
     """Test authorization_code_enabled."""
@@ -687,12 +694,33 @@ def test_authorize_request(mocker):
     assert okta.authorize_request(pytest_oauth2_config, pytest_oauth2_session_data) == "pytest"
 
 
-def test_generate_oauth2_session_data():
-    """Test generate_oauth2_session_data."""
+def test_get_nonce(mocker):
+    """Test get_nonce."""
+    from tokendito import okta
+
+    response = Mock()
+    response.text = """
+    <html>
+    <script nonce="PYTEST_NONCE" type="text/javascript">'
+    </html>
+    """
+    mocker.patch.object(HTTP_client, "get", return_value=response)
+
+    assert okta.get_nonce("https://acme.com") == "PYTEST_NONCE"
+
+    response.text = "nonce-non-present"
+    mocker.patch.object(HTTP_client, "get", return_value=response)
+    assert okta.get_nonce("https://acme.com") is None
+
+
+def test_get_oauth2_session_data(mocker):
+    """Test get_oauth2_session_data."""
     from tokendito import okta
 
+    mocker.patch("tokendito.okta.get_nonce", return_value="ABC")
     assert (
-        okta.generate_oauth2_session_data("acme.com")["redirect_uri"] == "acme.com/enduser/callback"
+        okta.get_oauth2_session_data("https://acme.com")["redirect_uri"]
+        == "https://acme.com/enduser/callback"
     )
 
 
@@ -709,7 +737,9 @@ def test_get_oauth2_configuration(mocker):
         "grant_types_supported": "authorization_code",
         "request_parameter_supported": "pytest",
     }
-    pytest_config = Config(okta={"client_id": "test_client_id", "org": "acme"})
+    pytest_config = Config(
+        okta={"client_id": "test_client_id", "org": "acme", "username": "pytest"}
+    )
     mocker.patch.object(HTTP_client, "get", return_value=response)
     assert okta.get_oauth2_configuration(pytest_config)["org"] == "acme"
 
@@ -740,6 +770,8 @@ def test_validate_oauth2_configuration():
         "scopes_supported": "pytest",
         "response_types_supported": "code",
         "request_parameter_supported": "pytest",
+        "ln": "pytest",
+        "nonce": "pytest",
     }
     assert okta.validate_oauth2_configuration(pytest_oauth2_config) is None
 
@@ -883,7 +915,7 @@ def test_access_control(mocker):
 
     mocker.patch("tokendito.okta.oie_enabled", return_value=True)
     mocker.patch("tokendito.okta.get_oauth2_configuration", return_value=None)
-    mocker.patch("tokendito.okta.generate_oauth2_session_data", return_value=None)
+    mocker.patch("tokendito.okta.get_oauth2_session_data", return_value=None)
     mocker.patch("tokendito.okta.create_authz_cookies", return_value=None)
     mocker.patch("tokendito.okta.idp_authenticate", return_value=None)
     mocker.patch("tokendito.okta.idp_authorize", return_value=None)
diff --git a/tests/unit/test_user.py b/tests/unit/test_user.py
index 3439901..656d845 100644
--- a/tests/unit/test_user.py
+++ b/tests/unit/test_user.py
@@ -60,13 +60,13 @@ def test_get_username(mocker):
     assert val == "pytest_patched"
 
 
-def test_get_password(mocker):
+def test_get_secret_input(mocker):
     """Test whether data sent is the same as data returned."""
     from tokendito import user
 
     mocker.patch("tokendito.user.tty_assertion", return_value=True)
     mocker.patch("tokendito.user.getpass", return_value="pytest_patched")
-    val = user.get_password()
+    val = user.get_secret_input()
 
     assert val == "pytest_patched"
 
diff --git a/tokendito/__init__.py b/tokendito/__init__.py
index d8c54dd..9b7f8b1 100644
--- a/tokendito/__init__.py
+++ b/tokendito/__init__.py
@@ -1,7 +1,7 @@
 # vim: set filetype=python ts=4 sw=4
 # -*- coding: utf-8 -*-
 """Tokendito module initialization."""
-__version__ = "2.3.3"
+__version__ = "2.4.0"
 __title__ = "tokendito"
 __description__ = "Get AWS STS tokens from Okta SSO"
 __long_description_content_type__ = "text/markdown"
diff --git a/tokendito/__main__.py b/tokendito/__main__.py
index 99bff00..1c7e7cd 100755
--- a/tokendito/__main__.py
+++ b/tokendito/__main__.py
@@ -7,7 +7,7 @@
 
 def main(args=None):  # needed for console script
     """Packge entry point."""
-    if __package__ is None:
+    if not __package__:
         import os.path
 
         path = os.path.dirname(os.path.dirname(__file__))
diff --git a/tokendito/aws.py b/tokendito/aws.py
index d7ada32..3f2fc83 100644
--- a/tokendito/aws.py
+++ b/tokendito/aws.py
@@ -72,7 +72,7 @@ def authenticate_to_roles(config, urls):
         saml_xml = okta.extract_saml_response(saml_response_string)
         if not saml_xml:
             state_token = okta.extract_state_token(saml_response_string)
-            if "Extra Verification" in saml_response_string and state_token:
+            if state_token:
                 logger.info(f"Step-Up authentication required for {url}.")
                 if okta.step_up_authenticate(config, state_token):
                     return authenticate_to_roles(config, urls)
diff --git a/tokendito/http_client.py b/tokendito/http_client.py
index 872c5a6..843a22e 100644
--- a/tokendito/http_client.py
+++ b/tokendito/http_client.py
@@ -81,6 +81,7 @@ def get(self, url, params=None, headers=None, allow_redirects=True):
 
     def post(self, url, data=None, json=None, headers=None, params=None, return_json=False):
         """Perform a POST request."""
+        response = None
         logger.debug(f"POST to {url}")
         try:
             response = self.session.post(url, data=data, json=json, params=params, headers=headers)
@@ -95,6 +96,11 @@ def post(self, url, data=None, json=None, headers=None, params=None, return_json
                 return response
         except requests.RequestException as e:
             logger.error(f"Error during POST request to {url}. Error: {e}")
+            if response:
+                logger.debug(f"Response Headers: {response.headers}")
+                logger.debug(f"Response Text: {response.text}")
+            else:
+                logger.debug("No response received")
             sys.exit(1)
         except Exception as err:
             logger.error(f"The post request to {url} failed with {err}")
diff --git a/tokendito/okta.py b/tokendito/okta.py
index fd18f2c..55e4b3a 100644
--- a/tokendito/okta.py
+++ b/tokendito/okta.py
@@ -17,8 +17,7 @@
 import re
 import sys
 import time
-from urllib.parse import urlencode
-from urllib.parse import urlparse
+import urllib
 
 import bs4
 from bs4 import BeautifulSoup
@@ -130,9 +129,11 @@ def get_saml_request(auth_properties):
     response = HTTP_client.get(url, headers=headers)
 
     # Extract the required parameters from the SAML request.
+    post_url = extract_form_post_url(response.text)
+    base_url = user.get_base_url(post_url)
     saml_request = {
-        "base_url": user.get_base_url(extract_form_post_url(response.text)),
-        "post_url": extract_form_post_url(response.text),
+        "base_url": base_url,
+        "post_url": post_url,
         "relay_state": extract_saml_relaystate(response.text),
         "request": extract_saml_request(response.text, raw=True),
     }
@@ -149,7 +150,6 @@ def send_saml_request(saml_request):
     Submit SAML request to IdP, and get the response back.
 
     :param saml_request: dict with IdP post_url, relay_state, and saml_request
-    :param cookies: session cookies with `sid`
     :returns: dict with with SP post_url, relay_state, and saml_response
     """
     # Define the payload and headers for the request
@@ -172,8 +172,6 @@ def send_saml_request(saml_request):
     # Use the HTTP client to make a GET request
     response = HTTP_client.get(url, params=payload, headers=headers)
 
-    logger.debug(f"{base64.b64decode(payload['SAMLRequest'])}")
-
     # Extract relevant information from the response to form the saml_response dictionary
     saml_response = {
         "response": extract_saml_response(response.text, raw=True),
@@ -184,6 +182,7 @@ def send_saml_request(saml_request):
     # Mask sensitive values for logging purposes
     user.add_sensitive_value_to_be_masked(saml_response["response"])
 
+    logger.debug(f"SAML response is {saml_response}")
     # Return the formed SAML response
     return saml_response
 
@@ -194,34 +193,51 @@ def create_authz_cookies(oauth2_config, oauth2_session_data):
 
     Needed for SAML2 flow for OIE.
     """
-    session_token = HTTP_client.session.cookies.get("sessionToken")
     try:
         oauth2_url = f"{oauth2_config['org']}/oauth2/v1"
         oauth2_config_reformatted = {
             "responseType": "code",
             "state": oauth2_session_data["state"],
+            "nonce": oauth2_session_data["nonce"],
+            "scopes": [
+                "openid",
+                "profile",
+                "email",
+                "okta.users.read.self",
+                "okta.users.manage.self",
+                "okta.internal.enduser.read",
+                "okta.internal.enduser.manage",
+                "okta.enduser.dashboard.read",
+                "okta.enduser.dashboard.manage",
+            ],
             "clientId": oauth2_config["client_id"],
-            "authorizeUrl": oauth2_config["authorization_endpoint"],
-            "tokenUrl": oauth2_config["token_endpoint"],
-            "scope": "openid",
-            "sessionToken": session_token,
-            "userInfoUrl": f"{oauth2_url}/userinfo",
-            "revokeUrl": f"{oauth2_url}/revoke",
-            "logoutUrl": f"{oauth2_url}/logout",
+            "urls": {
+                "issuer": oauth2_config["issuer"],
+                "authorizeUrl": oauth2_config["authorization_endpoint"],
+                "userinfoUrl": f"{oauth2_url}/userinfo",
+                "tokenUrl": oauth2_config["token_endpoint"],
+                "revokeUrl": f"{oauth2_url}/revoke",
+                "logoutUrl": f"{oauth2_url}/logout",
+            },
+            "ignoreSignature": False,
         }
     except KeyError as e:
         logger.error(f"Missing key in config:{e}")
         sys.exit(1)
 
     cookiejar = requests.cookies.RequestsCookieJar()
-    domain = urlparse(oauth2_config["org"]).netloc
+    domain = urllib.parse.urlparse(oauth2_config["org"]).netloc
     cookiejar.set(
         "okta-oauth-redirect-params",
-        f"{{{urlencode(oauth2_config_reformatted)}}}",
+        urllib.parse.quote(
+            json.dumps(oauth2_config_reformatted, separators=(",", ":")), safe="{}:[]/"
+        ),
         domain=domain,
         path="/",
     )
     cookiejar.set("okta-oauth-state", oauth2_session_data["state"], domain=domain, path="/")
+    cookiejar.set("okta-oauth-nonce", oauth2_session_data["nonce"], domain=domain, path="/")
+    cookiejar.set("ln", oauth2_config["ln"], domain=domain, path="/")
     HTTP_client.add_cookies(cookiejar)  # add cookies
 
 
@@ -242,7 +258,6 @@ def send_saml_response(config, saml_response):
     }
     url = saml_response["post_url"]
 
-    logger.debug(f"{base64.b64decode(saml_response['response'])}")
     # Log the SAML response details.
     logger.debug(f"Sending SAML response to {url}")
     # Use the HTTP client to make a POST request.
@@ -250,7 +265,6 @@ def send_saml_response(config, saml_response):
 
     # Get the 'sid' value from the reponse cookies.
     sid = response.cookies.get("sid", None)
-    logger.debug(f"New sid is {sid}")
 
     # If 'sid' is present, mask its value for logging purposes.
     if sid:
@@ -264,20 +278,19 @@ def send_saml_response(config, saml_response):
         params = {"stateToken": state_token}
         headers = {
             "accept": "text/html,application/xhtml+xml,application/xml",
-            "content-type": "application/json",
         }
         response = HTTP_client.get(
-            # myurl, allow_redirects=False, params={"stateToken": state_token}
             f"{config.okta['org']}/login/token/redirect",
             params=params,
             headers=headers,
         )
-        logger.warning(
-            f"""
-            State token from {url}: {state_token}. TODO: need to go from this state token
-            to an idx cookies.
-            """
-        )
+        if "idx" not in response.cookies:
+            logger.error(
+                f"Session cookie idx for {config.okta['org']} not found. Please file a bug."
+            )
+            logger.debug(f"Response: {response.headers}")
+            logger.debug(f"Response: {response.text}")
+            sys.exit(2)
 
 
 def get_session_token(config, primary_auth, headers):
@@ -418,10 +431,7 @@ def get_response_type():
 
 
 def get_authorize_scope():
-    """We're only implementing openid scope.
-
-    So we're only returning "openid", which is ok for what we do.
-    """
+    """We're only implementing openid scope."""
     return "openid"
 
 
@@ -555,13 +565,35 @@ def authorize_request(oauth2_config, oauth2_session_data):
         params=payload,
     )
 
+    idx = HTTP_client.session.cookies.get("idx", None)
+    if idx:
+        user.add_sensitive_value_to_be_masked(idx)
+    else:
+        logger.debug("We did not find an 'idx' entry in the cookies.")
+
     authorize_code = get_authorize_code(response, session_token)
     return authorize_code
 
 
-def generate_oauth2_session_data(url):
+def get_nonce(url):
+    """Get nonce from the org server."""
+    userhome_url = f"{url}/app/UserHome"
+    payload = {"session_hint": "AUTHENTICATED", "iss": urllib.parse.quote(userhome_url, safe="")}
+    response = HTTP_client.get(url, params=payload)
+    # '<script nonce="ABCXXXXXXXXXXXXXXXXYZ" type="text/javascript">'
+    nonce = None
+    pattern = re.compile(r'script nonce="(?P<nonce>.*?)" ', re.MULTILINE)
+    match = pattern.search(response.text)
+    if match:
+        logger.debug(f"Found nonce: {match.group('nonce')}")
+        nonce = match.group("nonce")
+
+    return nonce
+
+
+def get_oauth2_session_data(url):
     """
-    Generate some oauth2 session data.
+    Get some oauth2 session data.
 
     We do this to have the same in oath2 cookies and /authorize call.
     """
@@ -572,6 +604,8 @@ def generate_oauth2_session_data(url):
         "redirect_uri": get_redirect_uri(url),
         "grant_type": "authorization_code",
     }
+    authz_session_data["nonce"] = get_nonce(url)
+
     if pkce_enabled():
         code_verifier = get_pkce_code_verifier()
         authz_session_data["code_verifier"] = code_verifier
@@ -591,10 +625,11 @@ def get_oauth2_configuration(config):
     headers = {"accept": "application/json"}
     response = HTTP_client.get(url, headers=headers)
     logger.debug(f"Authorization Server info: {response.json()}")
-    # todo: handle errors.n
+    # TODO: handle errors
     oauth2_config = response.json()
     oauth2_config["org"] = config.okta["org"]
     oauth2_config["client_id"] = get_client_id(config)
+    oauth2_config["ln"] = config.okta["username"]
     validate_oauth2_configuration(oauth2_config)
     return oauth2_config
 
@@ -614,6 +649,7 @@ def validate_oauth2_configuration(oauth2_config):
         "scopes_supported",
         "client_id",
         "org",
+        "ln",
     }  # the authorization server must have these config elements
     for item in mandadory_oauth2_config_items:
         if item not in oauth2_config:
@@ -656,8 +692,8 @@ def create_authn_cookies(authn_org_url, session_token):
     user.add_sensitive_value_to_be_masked(session_id)
 
     cookiejar = requests.cookies.RequestsCookieJar()
-    domain = urlparse(url).netloc
-    cookiejar.set("sid", session_id, domain=urlparse(url).netloc, path="/")
+    domain = urllib.parse.urlparse(url).netloc
+    cookiejar.set("sid", session_id, domain=domain, path="/")
     cookiejar.set("sessionToken", session_token, domain=domain, path="/")
     HTTP_client.add_cookies(cookiejar)  # add cookies
 
@@ -670,21 +706,16 @@ def idp_authenticate(config):
         logger.error("Okta auth failed: unknown type.")
         sys.exit(1)
 
-    auth_properties = get_auth_properties(userid=config.okta["username"], url=config.okta["org"])
-
-    if "type" not in auth_properties:
-        logger.error("Okta auth failed: unknown type.")
-        sys.exit(1)
-
-    if is_saml2_authentication(auth_properties):
-        # We may loop thru the saml2 servers until
-        # we find the authentication server.
-        saml2_authenticate(config, auth_properties)
-    elif local_authentication_enabled(auth_properties):
+    # Possible recursion ahead. The exit condition should be the first if statement.
+    if local_authentication_enabled(auth_properties):
         session_token = local_authenticate(config)
         # authentication sends us a token
         # which we then put in our session cookies
         create_authn_cookies(config.okta["org"], session_token)
+    elif is_saml2_authentication(auth_properties):
+        # We may loop thru the saml2 servers until
+        # we find the authentication server.
+        saml2_authenticate(config, auth_properties)
     else:
         logger.error(
             f"{auth_properties['type']} login via IdP Discovery is not currently supported"
@@ -714,10 +745,11 @@ def access_control(config):
         logger.debug("OIE enabled")
         # save some oauth2 config data + create session data, and create authz cookies
         oauth2_config = get_oauth2_configuration(config)
-        oauth2_session_data = generate_oauth2_session_data(config.okta["org"])
+        oauth2_session_data = get_oauth2_session_data(config.okta["org"])
         create_authz_cookies(oauth2_config, oauth2_session_data)
-        # The flow says to initially call /authorize here, but that doesnt do anything...
-        # idp_authorize(oauth2_config, oauth2_session_data)
+        # The flow says to initially call /authorize here, but that doesnt do anything.
+        idp_authorize(oauth2_config, oauth2_session_data)
+        # We call it later, after we are authenticated.
 
     idp_authenticate(config)
 
@@ -930,10 +962,10 @@ def extract_form_post_url(html):
     """
     soup = BeautifulSoup(html, "html.parser")
     post_url = None
-
     elem = soup.find("form", attrs={"id": "appForm"})
     if type(elem) is bs4.element.Tag:
         post_url = str(elem.get("action"))
+        logger.debug(f"Found POST URL: {post_url}")
     return post_url
 
 
@@ -1005,7 +1037,9 @@ def mfa_provider_type(
 
     elif mfa_provider == "OKTA" and factor_type == "push":
         mfa_verify = push_approval(mfa_challenge_url, payload)
-    elif mfa_provider in ["OKTA", "GOOGLE"] and factor_type in ["token:software:totp", "sms"]:
+    elif (mfa_provider in ["OKTA", "GOOGLE"] and factor_type in ["token:software:totp", "sms"]) or (
+        mfa_provider == "OKTA" and factor_type == "question"
+    ):
         mfa_verify = totp_approval(
             config, selected_mfa_option, headers, mfa_challenge_url, payload, primary_auth
         )
@@ -1060,7 +1094,7 @@ def mfa_challenge(config, headers, primary_auth):
     :param primary_auth: primary authentication
     :return: Okta MFA Session token after the successful entry of the code
     """
-    logger.debug("Handle user MFA challenges")
+    logger.debug("Handle user MFA challenge")
     try:
         mfa_options = primary_auth["_embedded"]["factors"]
     except KeyError as error:
@@ -1121,7 +1155,12 @@ def totp_approval(config, selected_mfa_option, headers, mfa_challenge_url, paylo
     logger.debug(f"User MFA options selected: [{selected_mfa_option['factorType']}]")
     if config.okta["mfa_response"] is None:
         logger.debug("Getting verification code from user.")
-        config.okta["mfa_response"] = user.get_input("Enter your verification code: ")
+        if selected_mfa_option["factorType"] == "question":
+            config.okta["mfa_response"] = user.get_secret_input(
+                selected_mfa_option["profile"]["questionText"]
+            )
+        else:
+            config.okta["mfa_response"] = user.get_input("Enter your verification code: ")
         user.add_sensitive_value_to_be_masked(config.okta["mfa_response"])
 
     # time to verify the mfa
diff --git a/tokendito/tokendito.py b/tokendito/tokendito.py
index 85cc374..9b9d523 100755
--- a/tokendito/tokendito.py
+++ b/tokendito/tokendito.py
@@ -7,7 +7,7 @@
 
 def main(args=None):  # needed for console script
     """Packge entry point."""
-    if __package__ is None:
+    if not __package__:
         import os.path
 
         path = os.path.dirname(os.path.dirname(__file__))
diff --git a/tokendito/user.py b/tokendito/user.py
index 158f8ea..0e5fd28 100644
--- a/tokendito/user.py
+++ b/tokendito/user.py
@@ -64,6 +64,9 @@ def cmd_interface(args):
         )
         sys.exit(1)
 
+    # rm trailing / if provided as such so the urls with this as base dont have //
+    config.okta["org"] = config.okta["org"].strip("/")
+
     check_profile_expiration(config)
 
     if config.user["use_device_token"]:
@@ -78,12 +81,7 @@ def cmd_interface(args):
 
     # get authentication and authorization cookies from okta
     okta.access_control(config)
-    logger.debug(
-        f"""
-        about to call discover_tile
-        we have client cookies: {HTTP_client.session.cookies}
-        """
-    )
+
     if config.okta["tile"]:
         tile_label = ""
         config.okta["tile"] = (config.okta["tile"], tile_label)
@@ -868,7 +866,7 @@ def process_interactive_input(config, skip_password=False):
 
     if ("password" not in config.okta or config.okta["password"] == "") and not skip_password:
         logger.debug("No password set, will try to get one interactively")
-        res["okta"]["password"] = get_password()
+        res["okta"]["password"] = get_secret_input()
         add_sensitive_value_to_be_masked(res["okta"]["password"])
 
     config_int = Config(**res)
@@ -981,22 +979,24 @@ def get_username():
     return res
 
 
-def get_password():
-    """Set okta password interactively.
-
-    :param args: command line arguments
-    :return: okta_password
+def get_secret_input(message=None):
+    """Get secret value interactively.
 
+    :param args: message to display user.
+    :return: secret
     """
-    res = ""
-    logger.debug("Set password.")
+    secret = ""
+    logger.debug("get_secret_value")
 
     tty_assertion()
-    while res == "":
-        password = getpass()
-        res = password
-        logger.debug("password set interactively")
-    return res
+    while secret == "":
+        if message is None:
+            password = getpass()
+        else:
+            password = getpass(message)
+        secret = password
+        logger.debug("secret value set interactively")
+    return secret
 
 
 def get_interactive_profile_name(default):