Authentication method chain

An authentication method chain requires users to verify their identity using authenticators in an order that you configure. You can add chains to authentication policy rules, and create multiple chains to accommodate different authentication scenarios.

How it works

In an authentication policy rule, you can specify which authenticators a user must authenticate with to access an app. Each authenticator fulfills certain factor type and method requirements as described in Multifactor authentication. You can require users to verify with multiple authenticators to meet your assurance requirements.

With the Authentication method chain option, you can set the order in which these authentication methods are prompted to the user. This gives you more granular control over how the users authenticate into an app.

  • Specify the sequence of authentication methods: You can specify the order in which authentication methods are prompted to the users. For example, require users to first authenticate with a possession factor, such as a one-time passcode (OTP) on their phone. Then require a biometric factor such as Okta Verify with biometric user verification. Or when accessing sensitive apps, require them to authenticate with two phishing-resistant authenticators such as first with WebAuthn then with Okta FastPass.
  • Specify method characteristics for authenticators: For authenticators that have different characteristics depending on the method, you can specify which method characteristic is required. For example, phishing-resistant for Okta FastPass or require a hardware-protected Smart Card.
  • Specify multiple authentication method chains: You can customize the authentication method chain for different scenarios or to provide users with multiple starting authenticators. For example, offer password and Okta Verify as the first authenticators from two different chains. If the user authenticates with a password then require FIDO2 (WebAuthn) as a second authenticator. If they authenticate with Okta Verify then require Google Authenticator as a second authenticator.
  • Specify multiple authentication methods in a single step: You can customize each step of the chain to offer multiple authentication methods. The user can verify with any of these methods to progress to the next step. For example, allow password or phone OTP as the first authenticators and then require FIDO2 (WebAuthn) as the second authenticator in a single chain.

Set up an authentication method chain

  1. In the authentication policy rule, go to the User must authenticate with dropdown menu and select Authentication method chain.
  2. Specify the first authentication method. Repeat this step to add multiple methods at this level.
    1. From First authentication method, select an authentication method.
    2. Depending on the authenticator, these options related to method characteristics may appear. Select the required characteristics for the method:
      • Phishing resistant
      • Hardware protected
      • User interaction
    3. Optional. Click + Add to add another first authentication method.
  3. In Prompt for authentication, specify how often the user should be prompted for authentication. This is also called the re-authentication frequency.
    • Every time user signs in to resource: Users must authenticate every time they try to access the app. This is the most secure option.
    • When it's been over a specified length of time since the user signed in to any resource protected by the active Okta global session: Users are prompted to authenticate when they exceed the time interval you specify.
    • When an Okta global session doesn't exist: Users are prompted to authenticate if they never established an active Okta global session.
  4. Specify the next authentication method in the chain. Repeat this step to add more authentication steps.
    1. Click Add step to add the next authentication method in the chain.
    2. If available, select the required factor constraints for the method.
    3. Optional. Click + Add to add another authentication method at this level.
  5. Optional. Click Add authentication method chain to add another authentication method chain. Repeat these steps to add authentication methods in the chain.
  6. Click Save.

To remove an authentication method or chain, click the X button for the corresponding method or chain.

End user experience

  • The user receives the first authenticator prompt when they first access the app. When they pass this challenge, the second prompt appears, and so on. When they pass all challenges, they're granted access to the app.
  • When you create multiple chains for an app, the first authenticator for each chain appears on the user's authentication page. Users select an authenticator and then the corresponding chain is triggered.
  • If the user already authenticated with a first authenticator, they're prompted for the second authenticator if the prompt is within the reauthentication frequency window.
  • The next time the user signs in, they receive the same first authenticator as from their previous session. They can use Back to sign in or Verify with something else to choose a different first authenticator.
  • If the Global Session Policy requires a password, users are prompted for their password first. After they enter the correct password, the authentication method chain for the app is triggered.
  • If User Enumeration Prevention is enabled, the user must authenticate with a password or email on an unknown device first.
  • If Identity Threat Protection is enabled:
    • The order of the authenticators isn't enforced for session protection.
    • If the user verified with an authenticator that's included in a session protection policy rule, the session is marked as Compliant.