Preset authentication policies
Okta provides preset authentication policies that you can apply to apps with standard sign-on requirements. Some preset policies require specific rule settings in your global session policy. Refer to the following tables for the configured rules in each policy.
Classic Migrated
If you upgraded from Classic Engine, your apps that used the default policy now use this policy.
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
| Re-authentication frequency is |
Never (if the session is active) |
Any two factors
This is the default policy for new orgs. When you add an app, it starts with this policy.
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 2 factor types |
| Re-authentication frequency is |
After 12 hours |
Password only
This is a common use case that requires only a password for authentication.
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Allowed |
| AND User must authenticate with | Password |
One factor access
This policy requires users to authenticate with email or SMS only.
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
To use this policy, add a global session policy rule with the following settings:
- AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
- AND Multifactor authentication (MFA) is: not required
Seamless access based on risk context
This policy requires users to authenticate with Okta FastPass.
|
Rule 1: Low Risk |
|
|---|---|
| IF conditions | Risk LOW |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
AND Access with Okta FastPass is granted |
Without the user approving a prompt in Okta Verify or providing biometrics |
|
Rule 2: Medium Risk |
|
|---|---|
| IF conditions | Risk MED |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
| AND Possession factor restraints are |
Device bound (excludes phone and email) |
|
Rule 3: High Risk |
|
|---|---|
| IF conditions | Risk HIGH |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 2 factor types |
| AND Possession factor restraints are |
Device bound (excludes phone and email) |
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Denied |
To use this policy, add a global session policy rule with the following settings:
- AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
- AND Multifactor authentication (MFA) is: not required
Seamless access based on network context
This policy requires two factors if the user is off network.
|
Rule 1: In network |
|
|---|---|
| IF conditions | In zone LegacyIPZone |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 1 factor type |
|
Rule 1: Off network |
|
|---|---|
| IF conditions | User not in zone LegacyIPZone |
| THEN Access is | Allowed |
| AND User must authenticate with | Any 2 factor types |
|
Catch-all rule |
|
|---|---|
| IF conditions | Any |
| THEN Access is | Denied |
To use this policy, complete the following settings:
- Configure the network zone and add your corporate / VPM IPs to the LegacyIPZone.
- Add a global session policy rule with the following settings:
- AND Establish the user session with: Any factor used to meet the Authentication Policy requirements
- AND Multifactor authentication (MFA) is: not required
Related topics