End user sign-in process
First sign-in attempt
Okta processes all sign-in attempts from new devices by evaluating the same set of conditions:
If your org uses email for Single Sign-On (SSO), then the email and password sign-in options are always available to users, even when the user profile doesn't exist or the user can't sign in.
If your org doesn't use email for SSO, the user is always prompted for a password.
The user can't sign in if authentication errors occur.
When the same user attempts to sign in again on the same browser, a full list of available authenticators is displayed.
If your org has email enabled for SSO, end users who try to access an app on a new device see the identifier-first Sign-In Widget.
- The end user enters their full app Username, including the domain, and then clicks Next.
- If the end user's profile exists, the security method page displays Email and Password options.
- If the end user selects Password, they enter their password and then click Next.
- The Sign-In Widget prompts the end user for email verification.
- The end user selects Email, and then authenticates by clicking a link provided in the email.
- If the end user's profile doesn't exist, the security method page displays Password as the only option.
- The end user enters their password and then clicks Next.
- The Sign-In Widget displays the message Unable to sign in.
Future sign-in attempts
You can reduce friction for the sign-in experience even further by enabling the Keep me signed in option.
Keep me signed in enables a session that extends beyond browser lifetimes. It also remembers MFA authenticators from previous sessions. Keep me signed in maintains the session for the amount of time defined by the Global Session Policy. See Organization Security.