App-level multifactor authentication

You can configure multifactor authentication (MFA) at the application level. By adding MFA to an app, you provide an additional layer of security for specific apps. The end users you assign the app to must respond to additional authentication factors to access the app.

You can configure app-level MFA by itself or both org-level MFA and app-level MFA together. Refer to Multifactor Authentication for more information on org-level MFA. If you configure both, your end users are asked for the additional authentication factors when they sign into Okta and again when they sign into apps that you have configured for app-level MFA.

Configure app-level MFA

  1. From your Administrator Dashboard, select Applications and select the app you want to configure.
  2. Click the Sign On tab and scroll down to the Sign On Policy section.
  3. You can either create a new rule or modify an existing one to set up MFA on the app. Select either Add Rule to create a new rule or select the edit rule pencil icon in the Action column for the rule you want to modify. The App Sign On Rule dialog box appears. Give the rule a name.
  4. Optional. To configure MFA for specific groups and users, go to the Conditions section and under the question, "Who does this rule apply to?" select The following groups and users. After this selection, you can enter the names of the groups and users you want to include.

    In addition, you can check Exclude the following users and groups from this rule to exclude groups and users. After this selection, you can enter the groups and users that you want to exclude from the rule.

  5. If you have not configured your factor types yet, click the Multifactor Authentication link. After you configure your factor types, close the tab or window and return to this page. If you have already configured your factor types, proceed to the following step.
  6. Scroll down to the Actions section. Under Access, select Allowed with multifactor, select when your end users must provide the additional factors, and then click the Save button.

About End-User Sign On

The next time your end users attempt to launch an app that has app-level MFA, they are prompted to set up their extra verification information for the additional factors you configured if they have not already done so. For example, if you configured SMS as an additional factor, end users must provide a mobile number at which they can receive SMS text messages. If they have already configured their extra verification settings, they are only prompted to provide the additional authentication factors to obtain access to the app.