MFA Factor Sequencing
Early Access release
Factor Sequencing allows an end user to authenticate themselves with a series of multifactor authentication (MFA) factors instead of a password.
- Factor Sequencing supports Okta Verify Push and other factors as the primary method of authentication.
- This feature is supported on Okta Mobile only if Password is set as the first factor.
There are two steps to set up Factor Sequencing successfully:
Note the following limitations before configuring Factor Sequencing:
- You can't use Factor Sequencing when you deploy Identity Provider and IWA sign-in flows. Users aren't prompted to authenticate with other factors when signing in to Okta using an external IdP or IWA.
- Factor Sequencing chains can't be specified for application sign-on policies.
- A user must be enrolled in the first factor in the factor sequence to be signed in successfully. If they haven't enrolled in the first factor of the sequence, they can't sign in.
- If the sign-on policy has multiple factor chains, the user must be enrolled in the first factor from at least one factor chain.
Factor Sequencing and Active Directory
To delegate authentication to Active Directory while using Factor Sequencing, enable the Password factor. Otherwise, Okta doesn't check the Active Directory account status during sign-in.
- The user account status is only updated at each import from Active Directory to Okta. Between imports, a user may sign in to Okta with a disabled Active Directory account using a passwordless flow (WebAuthn or Okta Verify Push without a password). You can perform a manual import from Active Directory to Okta to ensure that these accounts can't sign in.
- Okta only checks the password expiry if a password is required in a factor sequence. If a user must change their Active Directory password, they can still sign in to Okta without a password change using a passwordless flow.
In this section, verify that at least one MFA factor is required in your MFA enrollment policies.
- From the Admin Console, go to Security > Multifactor > Factor Enrollment to set the enrollment policies for the factors you have already activated for your users.
- Verify that the factors in at least one factor chain are marked as Required for enrollment. For example, by defining the following two factor sequences in your sign-on policy:
- SMS and Okta Verify
- Okta Verify and Security Questions
Your end users are required to enroll in the sequenced factors (a) or (b) for successful authentication to take place.
In this section, edit an Okta sign-on policy to specify the sequence of MFA factors when users authenticate to Okta.
- From the Admin Console, go to Security > Authentication > Sign On.
- Select an existing rule or create a rule for end users.
- After selecting your rule criteria, scroll down to Authentication to define your factor sequences.
Once your changes are saved, authentication with Factor Sequencing is immediately available to users.
Example of Factor Sequencing in the Admin Console when defining a policy rule for MFA enrollment:
- When you activate this feature, the Sign-In Widget changes for your end users. Instead of seeing the Username and Password fields on the same page, the user sees only the Username field on the first page. The user enters their username and clicks Next.
- The next pages present each factor in the configured sequence, one on each page. The user authenticates themselves with each factor and clicks Verify. For example, if you configure a Factor Sequence with the SMS factor first, followed by the WebAuthn factor, the user sees the Username field on the first page, the SMS challenge on the second page, and the WebAuthn challenge on the third page.
- After the user passes all verification steps, the Okta dashboard appears.