Application Level Multifactor Authentication
You can configure multifactor authentication (MFA) at the application level. By adding MFA to an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., you provide an additional layer of security for specific apps. The end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. you assign the app to must respond to additional authentication factors to access the app.
You can configure app-level MFA by itself or both orgThe Okta container that represents a real-world organization.-level MFA and app-level MFA together. Refer to Multifactor Authentication for more information on org-level MFA. If you configure both, your end usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. are asked for the additional authentication factors when they sign into Okta and again when they sign into apps that you have configured for app-level MFA.
To configure app-level MFA, perform the following steps:
- From your Administrator Dashboard, select Applications and select the app you want to configure.
- Click the Sign On tab and scroll down to the Sign On Policy section.
- You can either create a new rule or modify an existing one to set up MFA on the app. Select either Add Rule to create a new rule or select the edit rule pencil icon in the Action column for the rule you want to modify. The App Sign On Rule dialog box appears. Give the rule a name.
(Optional) To configure MFA for specific groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and users, go to the Conditions section and under the question, "Who does this rule apply to?" select The following groups and users. After this selection, you can enter the names of the groups and users you want to include.
In addition, you can check Exclude the following users and groups from this rule to exclude groups and users. After this selection, you can enter the groups and users that you want to exclude from the rule.
- If you have not configured your factor types yet, click the Multifactor Authentication link. After you configure your factor types, close the tab or window and return to this page. If you have already configured your factor types, proceed to the following step.
Scroll down to the Actions section. Under Access, select Allowed with multifactor, select when your end users must provide the additional factors, and then click the Save button. For your convenience, there is a link in this section to jump directly to the MFA factors screen.
About End-User Sign On
The next time your end users attempt to launch an app that has app-level MFA, they are prompted to set up their extra verification information for the additional factors you configured if they have not already done so. For example, if you configured SMS as an additional factor, end users must provide a mobile number at which they can receive SMS text messages. If they have already configured their extra verification settings, they are only prompted to provide the additional authentication factors to obtain access to the app.Top