Preset authentication policies

Okta provides preset authentication policies that you can apply to apps with standard sign-on requirements. Some preset policies require specific rule settings in your global session policy. Refer to the following tables for the configured rules in each policy.

Default Policy

If you upgraded from Classic Engine, this is your default policy. When you add an app, it starts with this policy.

If you didn't upgrade from Classic Engine to Identity Engine, your default policy is Any two factors.

Catch-all rule

IF conditions Any
THEN Access is Allowed
AND User must authenticate with Any 1 factor type

Any two factors

This is the default policy for new orgs. When you add an app, it starts with this policy.

Catch-all rule

IF conditions Any
THEN Access is Allowed
AND User must authenticate with Any 2 factor types
Re-authentication frequency is

After 12 hours

Password only

This is a common use case that requires only a password for authentication.

Catch-all rule

IF conditions Any
THEN Access is Allowed
AND User must authenticate with Password

One factor access

This policy requires users to authenticate with email or SMS only.

Catch-all rule

IF conditions Any
THEN Access is Allowed
AND User must authenticate with Any 1 factor type

To use this policy, add a global session policy rule with the following settings:

  • AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
  • AND Multifactor authentication (MFA) is: not required

Seamless access based on risk context

This policy requires users to authenticate with Okta FastPass.

Rule 1: Low Risk

IF conditions Risk LOW
THEN Access is Allowed
AND User must authenticate with Any 1 factor type
AND Access with Okta FastPass is granted

Without the user approving a prompt in Okta Verify or providing biometrics

Rule 2: Medium Risk

IF conditions Risk MED
THEN Access is Allowed
AND User must authenticate with Any 1 factor type
AND Possession factor restraints are

Device bound (excludes phone and email)

Rule 3: High Risk

IF conditions Risk HIGH
THEN Access is Allowed
AND User must authenticate with Any 2 factor types
AND Possession factor restraints are

Device bound (excludes phone and email)

Catch-all rule

IF conditions Any
THEN Access is Denied

To use this policy, add a global session policy rule with the following settings:

  • AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
  • AND Multifactor authentication (MFA) is: not required

Seamless access based on network context

This policy requires two factors if the user is off network.

Rule 1: In network

IF conditions In zone LegacyIPZone
THEN Access is Allowed
AND User must authenticate with Any 1 factor type

Rule 1: Off network

IF conditions User not in zone LegacyIPZone
THEN Access is Allowed
AND User must authenticate with Any 2 factor types

Catch-all rule

IF conditions Any
THEN Access is Denied

To use this policy, complete the following settings:

  1. Configure the network zone and add your corporate / VPM IPs to the LegacyIPZone.
  2. Add a global session policy rule with the following settings:
    • AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
    • AND Multifactor authentication (MFA) is: not required

Related topics

Update an authentication policy

Add apps to an authentication policy