Add a rule for authenticator enrollment

Early Access release. See Enable self-service features.

Add this rule to build phishing resistance into your authenticator enrollment process. When this rule is active, users must provide a phishing-resistant authenticator when they enroll other authenticators and when they unenroll one. If your org doesn't use phishing-resistant authenticators yet, start with Add a rule for your enrolling your first phishing-resistant authenticator.

Prerequisites

All users in your org must be eligible to use the phishing-resistant authenticators. See Create an authenticator enrollment policy.

Add the rule

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Select Okta Account Management Policy.

  3. Click Add Rule.

  4. Enter a descriptive rule name, like Phishing-resistant authenticator enrollment.

  5. Set the following IF conditions.

    • User type: Any user type

    • User group membership includes: Any

    • User is: Any

    • Device state is: Any

    • Device assurance policy is: No policy

    • Device platform is: Any platform

    • User's IP is: Any

    • Risk is: Any

    • The following custom expression is true: accessRequest.operation == 'enroll'

  6. Set the following THEN conditions.

    • Access is: Allowed after successful authentication

    • User must authenticate with: Possession factor

    • Possession factor constraints are: Phishing resistant

    • Authentication methods: Allow any method that can be used to meet the requirement

    • Prompt for authentication: Every time user signs in to resource

  7. Click Save.

Set this rule's priority above the catch-all but below the first phishing-resistant authenticator (if you added that one). Be sure that the first phishing-resistant authenticator rule stays at priority 1.

User experience

If a user meets the requirements of the Okta account management policy, their experience for this process doesn't change. However, their authenticator choices are limited to the phishing-resistant options. Consider these two scenarios:

  • Users who are currently activated with a single factor can't enroll new authenticators or sign in to apps that require MFA. Refer to this task's prerequisite.

  • Users can lock themselves out if they unenroll too many authenticators. Inform your users that they must keep at least one phishing-resistant authenticator enrolled always.

If a user doesn't meet the requirements of your Okta account management policy, they can't update their profile settings. All fields are read-only, including the Reset, Update, and Remove options for their existing security methods, and the authenticators that they haven't enrolled are hidden.

Related topics

Okta account management policy

Add a rule for password recovery and account unlock