For users in an Okta group assigned to an application, a Factor Enrollment Policy, a Global Session Policy, and an Authentication Policy must be configured specifically for that group to prompt users for a specific factor when authenticating to an application. The instructions are provided below.

• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)
• Authentication Policies

1. Create a Factor Enrollment Policy and assign it to the group.

2. Set the factor for that group's users to authenticate with as Required (for example, FIDO2(WebAuthn)) and add a Rule.
    

3. Add a Global Session Policy and assign it to the group.
    

4. Add a rule to the Global Session Policy and set Establish the user session with to Any factor used to meet the Authentication Policy requirements, and Multifactor authentication (MFA) is Not Required.
    

5. Create an Authentication Policy and add a rule.

6. Set AND User must authenticate with Any 1 factor type / IdP.

   • Your org's authenticators that satisfy this requirement will be shown in the box below.
      

As Password and FIDO2 (WebAuthn) security methods are set to require, users can choose either factor when signing in.

Related References

• Authentication policies