Configure simple security with one-factor authentication
In this use case, only the one-factor type is required to authenticate. The main objective is to show how Okta FastPass offers a passwordless experience. If the policy doesn't require biometrics, this example is classified as a medium assurance level.
Create a bookmark app
- In the Admin Console, go to Applications > Applications.
- Select Browse App Catalog.
- Search for Bookmark App, and then click Add.
- Change the Application label to Bookmark App 1.
- Enter a URL and click Done. Because this app is for demonstration purposes only, you can choose any URL you like. In a real environment, use the URL of the app you're setting up SSO for.
- Select the Assignments tab.
- Select Assign > Assign to Groups, and then select Assign for Okta FastPass Group 1. Don't click the group name unless you want to review the group properties.
- Click Done.
Create an authentication policy rule
Create an authentication policy rule to allow for one-factor authentication so users can sign in without a password. After you save the rule, prioritize it over the default catch-all rule.
- In the Admin Console, go to Applications > Applications
- Select Bookmark App 1.
- Select the Sign On tab. The default catch-all rule allows access with one factor (password).
- Click Add Rule.
- In the Add Rule dialog, add a rule name (for example, Bookmark App 1 rule).
- In the IF User's user typeis field, select Any user type.
- In the AND User's group membership includes a field, select At least one of the following groups.
- Start typing the name of the group you created in the prerequisites (Okta FastPass Group 1) and then select it.
- In the AND User is field, select Any user.
- In the AND Device State is field, select Registered.
- If a device is registered, the Sign-In Widget polls the user's device to see if Okta Verify is installed. If it is, and if an account for that particular org is registered with Okta Verify, Okta is able to identify the user.
- Selecting this option also prompts the user to install Okta Verify and register their device on first use.
One Okta FastPass-enabled authentication policy with the AND Device State is field set to Registered
One authentication policy with the AND Device State is field set to Any to allow the use of additional authenticators that you want to enable
Important: If you select Any instead of Registered, the user will always see the sign-in page and the Sign-In Widget will not silently poll Okta Verify to authenticate the user. It may also prevent Okta FastPass from working reliably in some cases.
To avoid this, select Registered. Registered also means that if Okta Verify is installed, the user will not see other authenticators, even if they also have them installed.
If you require a permissive authentication policy that includes Okta FastPass, and you select the Any option for the AND Device State is field, configure two policies, ranking the first policy higher than the second:
- Use default values for Device Platform (Any platform) and the User's IP (Any IP).
- Leave the The following custom expression is true field blank.
- For the User must authenticate with field, select Possession factor.
If you choose Any 1 factor type, the authentication policy would present the user with a list of their enrolled authenticators (including password), allowing them to pick whichever one they want to use.
- In the Access with Okta FastPass is granted field, select Without the user approving a prompt in Okta Verify or providing biometrics. If you choose the other option, If the user approves a prompt in Okta Verify or provides biometrics, the user will always see the sign-in screen and will have to select Sign in with Okta FastPass.
- In the Re-authentication frequency field, select Every sign-in attempt. That means the authenticator has to be verified every time the user accesses the app. If you choose Re-authenticate after, the authenticator will re-authenticate if it hasn't been used within the given timeframe. The re-authentication frequency timestamp indicates the start of the authorization period and does not change when the authorization is reused for another app. It changes when the authorization period expires and needs to be reauthorized.
- Click Save.
Test the user sign-in experience
Whenever you change settings, clear the browser before you test them.
- In another browser instance or incognito window, go to the End-User Dashboard for this org.
- Select Bookmark App 1.
- Verify that you are signed in to the app without any user interaction.
Alternate sign-in flow
If you select Any instead of Registered in the Device State field,
users are always redirected to the Okta Sign-In Widget (no silent authentication).