App-level multifactor authentication
You can configure multifactor authentication (MFA) at the application level. This provides an extra layer of security for the apps that you specify. Users must re-authenticate with the factors you configure to access the app.
You can configure app-level MFA, org-level MFA, or both. If you configure both, users must authenticate when they sign into Okta and again when they sign into apps that you've configured for app-level MFA.
Refer to Multifactor Authentication for information on org-level MFA.
Configure app-level MFA
-
In the Admin Console, go to .
- Click the Sign On tab.
- You can create a rule or modify an existing one to configure MFA on the app. Click Add Rule to create a rule, or click the edit rule pencil icon in the Actions column for the rule you want to modify. The App Sign On Rule dialog box appears.
- Enter a rule name in Rule Name.
- Optional. In the PEOPLE section, select the users and groups to whom this rule applies.
- Users assigned this app: Select this option to assign this rule automatically to all users who are assigned to this app from the app's Assignments tab.
- The following groups and users:
- Groups: Enter the names of groups to whom you want to apply this rule.
- Users: Enter the names of individual users to whom you want to apply this rule.
- Exclude the following users and groups from this rule: Select this option to add groups and users that you want to exclude from this rule. The following options appear:
- Excluded Groups
- Enter the names of groups that you want to exclude from this rule.
- Excluded Users
- Enter the names of individuals that you want to exclude from this rule.
- Optional. In the LOCATION section, select an option to require MFA to access to the app based on the user's network zone.
- Anywhwere: Require MFA to access the app from users who sign in from any network zone.
- In Zone: Require MFA to access the app from users who sign in from network zones that you specify.
- Not in Zone: Require MFA to access the app from users who sign in from outside of the network zones that you specify.
- Network Zones
- All Zones: Select this option to apply the In Zone or Not in Zone option to users who sign in from all network zones.
- Click in the field and enter the names of network zones to apply to the In Zone or Not in Zone option.
- Optional. In the CLIENT section, select the platforms to which you want to apply this rule.
- In the ACCESS section, select whether sign-on to the application is allowed or denied from the dropdown. Select an action:
- Prompt for re-authentication: Require users to re-authenticate when they try to access the app.
- Prompt for factor: Require that users authenticate with a specific factor when they try to access the app.
- Multifactor Settings: If you haven't configured your factor types yet, you can click this link and configure them. Don't click this link if you've already configured your factor types.
- Click Save.
End-user experience
After you configure app-level MFA, users are prompted to enroll in factors that they haven't enrolled in yet.
If they're enrolled in all factors that you require to access the app, they're prompted to authenticate themselves.