This article provides a description of the assurance level, factors, and authenticators, as well as the difference in behavior between the Okta Classic Engine and Okta Identity Engine.
- Multi-Factor Authentication (MFA)
- Authenticators
- Authentication Policy
The Okta Identity Engine changes the definitions of authenticators and factors to provide an industry-standard differentiation:
- Factors are different categories that define how authentication takes place and the means by which they are controlled by end users.
- Authenticators are used to verify one or more factors with characteristics such as Knowledge, Possession, and Inherence/Biometrics. See Multi-Factor Authentication.
- Assurance is the degree of confidence that an end user signing into an application is the same end user who previously signed in to the application. The use of one or more authenticators and their characteristics determines an assurance level.
What this means in practice:
With Identity Engine, authenticators are specified for availability within the organization. Then, for every application or resource protected by Okta, the assurance requirement is defined for users to gain access.
IDENTITY ENGINE Authentication Policy, Edit Rule screen
Authentication change
In Identity Engine, it is not mandatory to require a password first if not desired.
COMPARISON
Classic EngineEach app has its own separate App Sign-on Policy. |
Identity EngineShare Authentication Policies across the apps with identical authentication requirements. |
The requirement may be met by whichever authenticator(s) are allowed.
Navigation change
- In Okta Classic Engine, Factors are in Security > Multifactor.
- In Okta Identity Engine, Authenticators are in Security > Authenticators.
