Preset authentication policies
Okta provides preset authentication policies that you can apply to apps with standard sign-on requirements. Some preset policies require specific rule settings in your global session policy. Refer to the following tables for the configured rules in each policy.
The Okta account management policy is a unique preset authentication policy that you can apply to three actions. See Okta account management policy for configuration options.
Classic Migrated
If you upgraded from Classic Engine, your apps that used the default policy now use this policy.
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
| Prompt for authentication | When an Okta global session doesn't exist |
Any two factors
This is the default policy for new orgs. When you add an app, it starts with this policy. You can't change the default to a different policy, but you can edit this policy as needed.
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 2 factor types |
| Prompt for authentication | After 12 hours |
Password only
This is a common use case that requires only a password for authentication.
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Allowed |
| AND User must authenticate with | Password |
One factor access
This policy requires users to authenticate with email or SMS only.
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
To use this policy, add a global session policy rule with the following settings:
- AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
- AND Multifactor authentication (MFA) is: not required
Seamless access based on risk context
This policy requires users to authenticate with Okta FastPass.
|
Rule 1: Low Risk |
|
|---|---|
| IF conditions | Risk LOW |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
AND Access with Okta FastPass is granted |
Without the user approving a prompt in Okta Verify or providing biometrics |
|
Rule 2: Medium Risk |
|
|---|---|
| IF conditions | Risk MED |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
| AND Possession factor restraints are |
Device bound (excludes phone and email) |
|
Rule 3: High Risk |
|
|---|---|
| IF conditions | Risk HIGH |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 2 factor types |
| AND Possession factor restraints are |
Device bound (excludes phone and email) |
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Denied |
To use this policy, add a global session policy rule with the following settings:
- AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
- AND Multifactor authentication (MFA) is: not required
Seamless access based on network context
This policy requires two factors if the user is off network.
|
Rule 1: In network |
|
|---|---|
| IF conditions | In zone LegacyIPZone |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
|
Rule 1: Off network |
|
|---|---|
| IF conditions | User not in zone LegacyIPZone |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 2 factor types |
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Denied |
To use this policy, complete the following settings:
- Configure the network zone and add your corporate / VPM IPs to the LegacyIPZone.
- Add a global session policy rule with the following settings:
- AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
- AND Multifactor authentication (MFA) is: not required
Related topics