Create an authenticator enrollment policy

Create an authenticator enrollment policy to manage how and when your end users enroll authenticators. You can create policies specific to authenticators, user groups, and situations.

Grace periods shouldn't be used with the authenticators that you require for self-service registration. Create a separate policy for these authenticators and don't set a grace period.

Before you begin

Configure the authenticators that you want your users to sign in with. At least one authenticator must be enabled for authentication (MFA/SSO). The authenticators you configure must fulfill the security requirements of your org's sign-on policies. See Multifactor authentication.

To use grace periods in your policy, upgrade your Sign-In Widget to version 7.28.

Create a policy

  1. In the Admin Console, go to SecurityAuthenticators.

    Open the Enrollment tab.

  2. Click Add a Policy.
  3. Enter a Policy name and Policy description.
  4. In Assign to groups, enter one or more user groups to which this policy should apply.
  5. For each authenticator you configured, indicate whether enrollment is Optional, Required, or Disabled.
    • At least one of your authenticators must be Required.
    • Disabled isn't available for authenticators if another policy requires them.
  6. Early Access. Set a Grace period for required authenticators, or select None to require it the first time users sign in.

  7. Click Create policy. The policy appears on the Enrollment tab and is set to Active.

Edit a policy

  1. To deactivate a policy, click the Active dropdown menu and select Deactivate. An inactive policy isn't applied to any users.

  2. To update a policy, click the Edit button for the policy. Make changes and click Update policy.

  3. To delete a policy, click the Delete button for the policy. Once you delete a policy, it can't be recovered. You can't delete the default policy.

  4. To reprioritize a policy, drag and drop it in the list to the desired level.

User experience

If a user hasn't enrolled a required authenticator when they access Okta or an Okta-protected app, the Sign-In Widget prompts them to complete enrollment. Then, users are prompted to enroll the optional authenticators, with an option to continue without enrolling. Users never see the disabled authenticators when signing in, even if they'd enrolled that authenticator.

Grace periods and authentication policies

If you configured a grace period for a required authenticator, users who satisfy the target app's authentication policy may continue to the app without enrolling until the grace period ends. Users who don't satisfy the target app's authentication policy must enroll the required authenticators immediately.

If the app's authentication policy requires users to enroll an authenticator before they can sign in, its grace period is ignored.

Sign-In Widget

The presentation of required authenticators differs slightly in the second and third generation Sign-In Widget.

  • In the second generation, users see all required authenticators in a single list. The Continue option only appears for those still in the grace period.

  • In the third generation, users see a list of authenticators that are required now and a second list of those that are still in the grace period (with the Continue option). If all the authenticators are still in the grace period, users see a single list with options to Remind me later.

Limitations

Email verification for self-service registration doesn't support grace periods. If you use email verification for self-service registration, don't set a grace period for this authenticator.

Next step

Configure an authenticator enrollment policy rule