Select authenticators required for enrollment

Select at least one authenticator as required for enrollment. If you select more than one authenticator as required for enrollment, you can prevent users from losing access if they fail to authenticate using a single authenticator. See Multifactor authentication.

Update your global session policies and authentication policies to prompt users to enroll in these authenticators the next time they sign in.

HealthInsight task recommendation

Set required authenticators to ensure that users assigned to a given policy are enrolled in those authenticators.

Okta recommends Require at least one authenticator in every authenticator enrollment policy.
Security impact Moderate

User impact

None

If an authenticator is required as part of the authenticator enrollment policy, users must enroll in the authenticator before they can sign in to their org. Setup steps are different for each authenticator.

Set a required authenticator in an authenticator enrollment policy

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.
  3. Select a policy and then click Edit.
  4. From the list of Effective authenticators, set at least one authenticator to Required.
  5. Click Update Policy.

Require users to enroll in an authenticator when prompted

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.
  3. Choose one of the active policy rules in the list and click Edit.
  4. Under the condition THEN Enrollment is, select Allow for all authenticators.
  5. Click Update Rule.

Prompt users for authenticators when they sign in

  1. In the Admin Console, go to SecurityGlobal Session Policy.

  2. Select the policy that you want to add a rule to.
  3. Select a rule and click Edit.
  4. In Then Access is, select an option to determine whether this rule allows or denies access.
  5. In Prompt for Factor, select Password / IDP or Password / IDP / any factor allowed by app sign on rules. To set up passwordless authentication, see Set up passwordless sign-in experience.
  6. Click Update Rule.

See Add a global session policy rule.

Related topics

HealthInsight tasks and recommendations

Create an authenticator enrollment policy

Add a global session policy rule