Upgrade from Factor Sequencing to Assurance Models

In Classic Engine, Factor Sequencing allows users to authenticate with a series of configured multifactor authentication (MFA) factors instead of a standard password. Identity Engine replaces Factor Sequencing with assurance-based sign-on policy settings that offer greater flexibility when you configure authentication policies. Now, you can configure passwordless authentication for one app and MFA for another, instead of applying a one-size-fits-all solution.

Determine if your org has active Factor Sequencing chains

  1. In the Admin Console, go to Security > Authentication.

  2. Click the Sign On tab.

  3. Select an Okta Sign-on Policy.

  4. Click the pencil icon for one of the rules in the list.

  5. In the Edit Rule dialog, check the Authentication selections.

Upgrade to Identity Engine and preserve the identifier-first flow

Although you don’t have any active chains, the Factor Sequencing feature still provides an identifier-first experience for users. Ask your Okta account team to disable Factor Sequencing before you upgrade.

  1. After the upgrade, go to Directories > Groups.

  2. Create an empty group, and name it Test.

  3. In the Admin Console, go to Security > Global Session Policy.

  1. Create a global session policy and assign it to the group that you created.

  2. On the Global Session Policy page, select the policy that you created and click Add Rule.

  1. In the And Primary factor is section, select the Password / IDP / any factor allowed by app sign on rules option.

  2. Click Create Rule.

Upgrade your Factor Sequences from Classic Engine to Assurance Models in Identity Engine

Okta recommends that you test this procedure in a preview environment that mirrors your production environment before deploying the changes to production.

  1. Evaluate whether the new assurance-based model meets your needs.

  2. Design new authentication policies in Identity Engine that provide security outcomes and protection similar to what your Factor Sequencing rules in Classic Engine provide.

  3. Determine whether you can turn off your current Classic Engine Factor Sequencing rules in production environments for the time you need to perform the upgrade.

  4. Delete all Okta sign-on policy rules that use Factor Sequencing. Or, to keep them for reference, select Password / Any IDP or Password / IDP + Any factor instead of the Factor Sequence.

  5. Contact your Okta account team and ask them to disable Factor Sequencing.

  6. Ask your Okta account team to upgrade your org to Identity Engine.

  7. Configure and activate authentication policies for all of your apps.

  8. Test your scenarios.

Related topics

Factor Sequencing FAQ

MFA options: end-user enhancements