Full authentication policy deployment

This is a more advanced authentication policy. In this scenario, the organization has a more sophisticated approach with three different levels of security requirements for their apps: Low, Medium and High.

This strategy relies on Device Context (see Device Context Deployment Guide) in addition to the authentication method requirements. The following table summarizes the authentication and Device Context settings that satisfy each security level requirement.

Note: In this use case, Okta FastPass is enabled.

Low assurance apps Medium assurance apps High assurance apps
Authentication requirements Any 1 Factor Type Any 2 Factor Types Any 2 Factor Types + Hardware Protected
Device Context Any Registered devices Registered and Managed devices
Okta FastPass option Silent auth Prompt Prompt
Re-authentication frequency Never if session active Every 2 hours Every sign-in attempt

Note: For more information about Okta FastPass, see Passwordless authentication deployment guide.

Prerequisites

Activate Okta FastPass

  1. In the Admin Console, go to Security > Authenticators.

  2. In the Okta Verify row, click Actions > Edit.
  3. Ensure that Okta FastPass (All platforms) is selected.

Ensure the Global Session Policy in use does not require a secondary factor

  1. In the Admin Console, go to Security > Global Session Policy.

  2. Select the policy in use.
  3. Click the icon to the right of the appropriate rule.
  4. Ensure that Require secondary factor is not selected.
  5. Repeat the steps above for additional policies and rules as needed.

Setup and configuration

  1. In the Admin Console, go to Security > Authentication Policy.

  2. Click Add a policy.
  3. Enter a policy Name and Description.
  4. Click Save.
  5. On the Rules tab, click Add rule.
  6. In the Rule name field, enter a name for the rule. The name should be descriptive (for example, Salesforce Low Security). This is helpful when consulting system logs to troubleshoot access issues.
  7. Apply settings for the desired assurance level (as detailed in the previous table). Refer to the configured conditions in the following sections.

Low assurance apps

  1. In the IF section, set AND Device state isto Any.
  2. In the THEN section:
    1. Set THEN Access is to Allowed after successful authentication.
    2. Set AND User must authenticate with to Any 1 factor type.
    3. Set AND Access with Okta FastPass is granted to Without the user approving a prompt in Okta Verify or providing biometrics.
    4. Set AND Re-authentication frequency is to Never re-authenticate if the session is active.
  3. Click Save.
  4. On the Applications tab, click Add app.
  5. Search for the apps you want to add to this policy, and then click Add.

Medium assurance apps

  1. In the IF section, set AND Device state to Registered.
  2. In the THEN section:
    1. Set AND Device management is to Not managed.
    2. Set THEN Access is to Allowed after successful authentication.
    3. Set AND User must authenticate with to Any 2 factor types.
    4. Set AND Access with Okta FastPass is granted to Without the user approving a prompt in Okta Verify or providing biometrics.
    5. Set AND Re-authentication frequency is to Re-authenticate after and set the period to 2 hours.
  3. Click Save.
  4. On the Applications tab, click Add app.
  5. Search for the apps you want to add to this policy, and then click Add.

High assurance apps

  1. In the IF section, set AND Device state to Registered.
  2. In the THEN section:
    1. Set AND Device management is to Managed.
    2. SetTHEN Access is to Allowed after successful authentication.
    3. SetAND User must authenticate with to Any 2 factor types.
    4. Set AND Possession factor constraints are to Hardware protected.
    5. Set AND Access with Okta FastPass is granted to If the user approves a prompt in Okta Verify or provides biometrics (meets NIST AAL2 requirements).
    6. Set AND Re-authentication frequency is to Every sign-in attempt.
  3. Click Save.
  4. On the Applications tab, click Add app.
  5. Search for the apps you want to add to this policy, and then click Add.

Note: In this scenario, medium and high assurance levels are expected to deny access from devices that are not registered or managed, respectively. To accomplish this, the catch-all rule for the app policy must not be changed from its default state, which denies access. This rule will be applied to devices that do not meet the IF conditions set in the above rules.

User sign-in experience

When a user attempts to launch an app governed by an authentication policy, their experience will be determined by the security levels applied to the policy. The same user may have different experiences when launching different apps, based upon their policies.

After configuring apps using the settings above, try one of the following approaches.

Low assurance app

When a user launches the app from any device, only one authentication method must be satisfied before access is granted. Entering a password satisfies this requirement.

Medium assurance app

  • When a user launches the app from an Unregistered device they will not be able to proceed until Okta Verify is installed and launched on the device, as shown in the following image.
  • When a user launches the app from a Registered device they must satisfy two factor types before they can proceed to the app. For example, they may enter a password (Knowledge factor) and respond to an Okta Verify push (Possession factor).
  • If users close and relaunch the app two afters after they first launched the application, they will be prompted to authenticate.

High assurance app

This is similar to the medium assurance app experience, except:

  • When a user launches the app from an Unregistered, a Registered - Not Managed device, or a device that is not hardware protected, they will not be able to proceed until both requirements are met.
  • Users will need to respond to both factor prompts each time they launch the protected app.