An authentication policy enforces factor requirements on users when they sign in to an app. After the Global Session Policy identifies the user and specifies the length of their session, the authentication policy verifies that the user profile meets specific app requirements, such as group membership, IP zone, and risk level.
Every app in your org has one authentication policy, and multiple apps can share a policy. Okta provides some preset policies with standard sign-on requirements, including a default policy for new apps. The default policy allows access with any two factors.
You can also customize user access by creating your own authentication policies. You can create a unique policy for each app in your org, or just create a few policies and share them across multiple apps. If you decide later to change an app’s sign-on requirements, you can modify its policy or switch to a different policy.