Add an authentication policy rule for mobile

Authentication policies define and enforce access requirements for apps. Every app in your org already has a default authentication policy. You can customize the policy by creating rules that regulate, among other things, who can access an app, from what locations, on what types of devices, and using what authentication methods.

For example, you may want to require all Okta users by default to provide a password to access an app but require Okta users in a designated group to provide both their password and Okta Verify to access the same app. Create one rule that challenges default users to provide their password and another rule that challenges all members of the designated group to provide Okta Verify.

Rules are numbered. Okta evaluates rules in the same order in which they appear on the authentication policy page. You can reorder added rules by clicking and dragging the vertical dotted "handle" that appears under a rule's number.

The authentication policy is evaluated whenever a user accesses an app. If the user does not have a valid Okta session at that time, the Global Session Policy is also evaluated (see Global session policies).

For example, suppose a user who doesn't have an active Okta session tries to access an app. If the Global Session Policy requires Password / IdP and the authentication policy requires 1FA, possession factor, the user is required to provide their password (or federate with an external IdP) and provide a possession factor.

When evaluating whether to apply the policy to a particular user, Okta combines the conditions of a policy and the conditions of its rule(s). If the policy includes multiple rules and the conditions of the first rule aren't satisfied when a user tries to access the app, Okta skips this rule and evaluates the user against the next rule.

To configure passwordless authentication using Okta Verify, see Configure Okta FastPass.

After you migrate from Device Trust (Classic) to Device Trust on the Okta Identity Engine and have an authentication policy rule that requires Registered devices, you will see Authentication of device via certificate - failure: NO_CERTIFICATE system log events. This is expected behavior and will be resolved when you migrate to Okta FastPass. It occurs because the server is attempting a Device Trust challenge with a device that does not have a client certificate. The user can still log in, but the device is considered "untrusted".

Before you begin

Start this procedure

  1. Configure an SSO extension on iOS devices.
  2. In the Admin Console, go to SecurityAuthentication Policies.

  3. Select the authentication policy that you want to add a rule to.

  4. Click Add rule page.

  5. Type a Rule name to describe the rule.

  6. Configure the appropriate IF conditions to specify when the rule is applied.

    In setting conditions, keep in mind that some conditions are primarily useful for auditing and filtering events and shouldn't be treated as the basis for defining your security posture.

    For example, a malicious actor could easily spoof a device platform, so you shouldn't use the device platform as the key component of an authentication policy rule.

  7. Configure the appropriate THEN conditions to specify how authentication is enforced.

  8. Configure the re-authentication frequency, if needed.

  9. Click Save.