Configure simple security with one-factor authentication

In this use case, only the one-factor type is required to authenticate. The main objective is to show how Okta FastPass offers a passwordless experience. If the policy doesn't require biometrics, this example is classified as a medium assurance level.

Create a bookmark app

  1. In the Admin Console, go to Applications > Applications.
  2. Select Browse App Catalog.
  3. Search for Bookmark App, and select it when it appears in the search results.
  4. Click Add Integration.
  5. Change the Application label to Bookmark App 1.
  6. Enter a URL and click Done. Because this app is for demonstration purposes only, you can choose any URL you like. In a real environment, use the URL of the app you're setting up SSO for.
  7. Select the Assignments tab.
  8. Select Assign > Assign to Groups, and then select Assign for Okta FastPass Group 1. Don't click the group name unless you want to review the group properties.
  9. Click Done.

Create an authentication policy rule

Create an authentication policy rule to allow for one-factor authentication so users can sign in without a password. After you save the rule, prioritize it over the default catch-all rule.

  1. In the Admin Console, go to Security > Authentication Policies.
  2. Create an authentication policy (see Create an authentication policy for instructions), or select a policy from the list.
  3. If you're creating a new authentication policy, select the Applications tab and add the Bookmark App 1 application. See Add apps to an authentication policy for instructions. Otherwise, select the authentication policy you want to use.
  4. Select the Rules tab. The default catch-all rule allows access with one factor (password).
  5. Click Add Rule.
  6. In the Add Rule dialog, add a rule name (for example, Bookmark App 1 rule).
  7. In the IF User's user type is field, select Any user type.
  8. In the AND User's group membership includes field, select At least one of the following groups.
  9. Start typing the name of the group you created in the prerequisites (Okta FastPass Group 1) and then select it.
  10. In the AND User is field, select Any user.
  11. In the AND Device State is field, select Registered.
    • If a device is registered, the Sign-In Widget polls the user's device to see if Okta Verify is installed. If it is, and if an account for that particular org is registered with Okta Verify, Okta is able to identify the user.
    • Selecting this option also prompts the user to install Okta Verify and register their device on first use.

      If you select Any instead of Registered, the user will always see the sign-in page and the Sign-In Widget will not silently poll Okta Verify to authenticate the user. It may also prevent Okta FastPass from working reliably in some cases.

      To avoid this, select Registered. Registered also means that if Okta Verify is installed, the user will not see other authenticators, even if they also have them installed.

      If you require a permissive authentication policy that includes Okta FastPass, and you select the Any option for the AND Device State is field, configure two policies, ranking the first policy higher than the second:

      1. One Okta FastPass-enabled authentication policy with the AND Device State is field set to Registered

      2. One authentication policy with the AND Device State is field set to Any to allow the use of additional authenticators that you want to enable

  12. Use default values for AND Device Platform is (Any platform), and AND User's IP is (Any IP).
  13. Leave the AND The following custom expression is true field blank.
  14. For the AND User must authenticate with field, select Possession factor.

    If you choose Any 1 factor type, the authentication policy presents the user with a list of their enrolled authenticators (including password), allowing them to pick whichever one they want to use.

  15. In the AND Access with Okta FastPass is granted field, select Without the user approving a prompt in Okta Verify or providing biometrics. If you choose the other option, If the user approves a prompt in Okta Verify or provides biometrics, the user will always see the sign-in screen and will have to select Sign in with Okta FastPass.
  16. In the AND Password re-authentication frequency field, select Every sign-in attempt. That means the authenticator has to be verified every time the user accesses the app. If you choose Re-authenticate after, the authenticator will re-authenticate if it hasn't been used within the given timeframe. The re-authentication frequency timestamp indicates the start of the authorization period and doesn't change when the authorization is reused for another app. It changes when the authorization period expires and needs to be reauthorized.
  17. Click Save.

Test the user sign-in experience

Whenever you change settings, clear the browser before you test them.

  1. In another browser instance or incognito window, go to the End-User Dashboard for this org.
  2. Select Bookmark App 1.
  3. Verify that you're signed in to the app without any user interaction.

Alternate sign-in flow

If you select Any instead of Registered in the Device State field,

users are always redirected to the Okta Sign-In Widget (no silent authentication).