Preset authentication policies

Okta provides preset authentication policies you can apply to apps with standard sign-on requirements:

These policies are configured for common use cases, but you can modify them like any other policy. See Update an authentication policy. Some preset policies require specific rule settings in your Global Session Policy. Refer to the following tables for the configured rules in each policy.

Any two factors

This is a common use case that requires any two factors.

Catch-all rule

 

IF conditions Any
THEN Access is Allowed
AND User must authenticate with Any 2 factor types

Password only

This is a common use case that requires only a password for authentication.

Catch-all rule

 

IF conditions Any
THEN Access is Allowed
AND User must authenticate with Password

One factor access

This policy requires users to authenticate with email or SMS only.

Catch-all rule

 

IF conditions Any
THEN Access is Allowed
AND User must authenticate with Any 1 factor type

To use this policy, add a Global Session Policy rule with the following settings:

  • AND Primary factor is: Password / IDP / any factor allowed by app sign on rules
  • AND Secondary factor is: not required

Seamless access based on risk context

This policy requires users to authenticate with Okta FastPass.

Rule 1: Low Risk

 

IF conditions Risk LOW
THEN Access is Allowed
AND User must authenticate with Any 1 factor type
AND Access with Okta FastPass is granted

Without the user approving a prompt in Okta Verify or providing biometrics

Rule 2: Medium Risk

 

IF conditions Risk MED
THEN Access is Allowed
AND User must authenticate with Any 1 factor type
AND Possession factor restraints are

Device bound (excludes phone and email)

Rule 3: High Risk

 

IF conditions Risk HIGH
THEN Access is Allowed
AND User must authenticate with Any 2 factor types
AND Possession factor restraints are

Device bound (excludes phone and email)

Catch-all rule

 

IF conditions Any
THEN Access is Denied

To use this policy, add a Global Session Policy rule with the following settings:

  • AND Primary factor is: Password / IDP / any factor allowed by app sign on rules
  • AND Secondary factor is: not required

Seamless access based on network context

This policy requires two factors if the user is off network.

Rule 1: In network

 

IF conditions In zone LegacyIPZone
THEN Access is Allowed
AND User must authenticate with Any 1 factor type

Rule 1: Off network

 

IF conditions User not in zone LegacyIPZone
THEN Access is Allowed
AND User must authenticate with Any 2 factor types

Catch-all rule

 

IF conditions Any
THEN Access is Denied

To use this policy, complete the following settings:

  1. Configure the network zone and add your corporate / VPM IPs to the LegacyIPZone.
  2. Add a Global Session Policy rule with the following settings:
  • AND Primary factor is: Password / IDP / any factor allowed by app sign on rules
  • AND Secondary factor is: Not required

Related topics

Update an authentication policy

Add apps to an authentication policy