App sign-in policies

App sign-in policies define how a user must authenticate to gain access to an app. They verify that the user meets specific app requirements, like group membership, the IP zone they're signing in from, risk level, and others. If the user meets the requirements of the app sign-in policy, they're granted access to the app.

You can create a unique policy for each app in your org, or create a few policies and share them across multiple apps. You can use Okta preset policies for apps with standard sign-in requirements.

All new apps, except for API service apps, start with the shared default policy. This policy has a single catch-all rule that allows a user access with two factors. You can add as many rules to the default policy as you need. However, remember that the changes are applied to both new and existing apps that are assigned to the shared default policy.

You can also use the Okta account management policy to define authentication requirements when users enroll or unenroll authenticators, recover their passwords, and unlock their accounts.

Topics

• Create an app sign-in policy
• Add an app sign-in policy rule
• Assign apps to an app sign-in policy
• Update an app sign-in policy
• Clone an app sign-in policy
• Modify app sign-in policies for first-party apps
• Preset app sign-in policies
• Merge duplicate policies
• Create device signal collection rules
• Authentication method chain
• Authentication scenarios
• Biometric user verification in app sign-in policies
• Device platform security