MFA Factor Sequencing
This is an Early Access feature. To enable it, contact Okta Support.
Factor Sequencing allows an end user to sign in to their org by authenticating with a series of configured MFA factors in place of a standard password.
- Factor Sequencing supports Okta Push and other factors as the primary method of authentication.
- This feature is supported on Okta Mobile only if password is set as the first factor.
- To configure and activate your factors of choice, navigate to Security > Multifactor > Factor Types from the Admin Console.
There are two steps to set up Factor Sequencing successfully:
- Set required MFA factors in MFA enrollment policies
- Define the MFA factor sequence in Okta sign-on policies
Before you begin
Note the following limitations before configuring Factor Sequencing:
- You cannot use Factor Sequencing when you deploy Identity Provider and IWA sign-in flows. Users will not be prompted to authenticate with additional factors when signing in to Okta using an external IDP or IWA.
- Factor Sequencing chains cannot be specified for application sign-on policies.
- A user must be enrolled in the first factor in the factor sequence to be sign in successfully. If they have not enrolled in the first factor of the sequence, they will be unable to sign in.
- If the sign-on policy has multiple factor chains, the user must be enrolled in the first factor from at least one factor chain.
Factor Sequencing and Active Directory
If your org uses Factor Sequencing and delegates authentication to Active Directory, Active Directory account status will not be checked during the sign-in flow unless the password MFA factor is enabled.
- In this scenario, a user could be disabled in AD and their status will not be updated until the next import from AD to Okta.
- In the time frame before the import from AD to Okta occurs, a user disabled in AD could sign in to Okta using a passwordless flow (such as WebAuthN or Okta Verify Push without a password) if a password less flow is enabled.
- To mitigate any issues, import AD manually to inform Okta to disable the user faster than a regularly scheduled import. Password expiry state is only checked if a password is used in a factor sequence.
- In the scenario where a user must change their AD password (e.g. AD password expired), the user can still sign in to Okta without a password change using a passwordless flow.
Set required MFA factors
In this section, verify that at least one MFA factor is required in your MFA enrollment policies.
- From the Admin Console, navigate to Security > Multifactor > Factor Enrollment to set the enrollment policies for the factors you have already activated for your users.
- Verify that the factors in at least one factor chain is marked as Required for enrollment. For example, by defining the following two factor sequences in your sign on policy:
a. SMS and Okta Verify
b. Okta Verify and Security Questions
Your end users are required to enroll in the sequenced factors (a) or (b) for successful authentication to take place.
Define the MFA factor sequence
In this section, edit a sign-on policy to specify the sequence of MFA factors when users authenticate to Okta.
- From the Admin Console, navigate to Security > Authentication > Sign On.
- Select an existing rule or create a new rule for end users.
- After selecting your rule criteria, scroll down to Authentication to define your factor sequences.
Once your changes are saved, authentication with factor sequencing will be made available to end users immediately.
Example of Factor Sequencing in the admin console when defining a policy rule for MFA enrollment:
- At Okta sign in, the end user is prompted to enter their ID to sign in.
- After entering their ID and clicking Next, the end user must authenticate with one or more factors that have been configured by their admin as part of the sign on policy.
- The end user can also select other factors in the sequence to authenticate via the factors listed in the drop-down menu.