Authenticator enrollment policies
Authenticator enrollment policies let you manage how and when your end users enroll authenticators. The policy lets you select from the eligible authenticators and make them required, optional, or disabled for enrollment.
You can create policies for specific authenticators, and then customize those policies for different user groups. The rules you add to a policy determine the situations when the policy applies. For example, allow authenticator enrollment for users accessing certain apps, or deny enrollment if users access Okta from certain locations.
Okta may prompt users to enroll more authenticators if the global session policy, app sign-in policy, or password policy require them.
Grace periods
Grace periods control how often a user can postpone enrollment of a required authenticator. They're configured on a per-authenticator basis to minimize sign-in friction and streamline the onboarding process. You can set grace periods by end date or skip count, and customize the messaging that's displayed with each prompt.
-
End date: The grace period ends on a designated date. Users are prompted for enrollment once daily until this date is reached.
-
Skip count(Early Access): The grace period ends after users have skipped enrollment a designated number of times. Users are prompted for enrollment once daily until they reach this number of skips.
When the grace period ends, the option to continue without enrolling is hidden. If you want users to enroll in an authenticator immediately, you don't have to set a grace period.