<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Mandate Specific Factors in Global Session and Authentication Policies
Nov 4, 2025
Administration
Multi-Factor Authentication
Okta Identity Engine
Overview

Okta Identity Engine (OIE) provides increased flexibility for Authentication with Application Level Authentication Policies. It also provides a simplified administrator experience by moving from factor sequencing to Assurance Models. This new experience is simple and allows to specify things like Any 1 Factor or Password + Another Factor or Any 2 Factors with the ability to specify constraints such as Phishing-resistance (that is, FIDO2/WebAuthN) and Hardware protected (the device has a TPM or secure enclave).


The downside of this new experience is that the standard administrator user interface does not allow for specifying certain factors to meet regulatory or other requirements. One may have specific factor requirements that users would like to adhere to that cannot be specified in the web interface.

Applies To
  • Okta Identity Engine (OIE)
  • Customization
  • API
  • Authentication Policies
  • Global Session Policies
Solution

It is possible to mandate specific factors for Global Session Policies (OIE) or Authentication policies (OIE) via the Policy API.


NOTE: It is recommended to create a testing policy, assign a test application to it, and test changes to the test policies before existing integrations.


To create a new rule for a policy, issue a POST to:

{{url}}/api/v1/policies/{{policyId}}/rules/

 


In this example, to specify PUSH as a single factor, modify the actions section of the sample body as below. This specifies only 1 factor is required and that it needs to satisfy the constraint of being a possession factor with method PUSH, and reauthentication is required every 2 hours. The full format and available options for these settings can be found in the developer documentation.


Example:

This example shows the Body of a call to POST {{url}}/api/v1/policies/{{policyId}}/rules/ that will make an authentication policy rule called "Idea" that will restrict users to only using the PUSH authenticator. For a list of available authenticators, reference the developer documentation above.

{
   "status": "ACTIVE",
   "name": "Idea",
   "priority": 0,
   "conditions": null,
   "actions": {
      "appSignOn": {
         "access": "ALLOW",
         "verificationMethod": {
            "factorMode": "1FA",
            "type": "ASSURANCE",
            "reauthenticateIn": "PT2H",
            "constraints": [
               {
                  "possession": {
                     "types": [
                        "APP"
                     ],
                     "methods": [
                        "PUSH"
                     ]
                  }
               }
            ]
         }
      }
   },
   "type": "ACCESS_POLICY"
}

 

Result:

API CALL

User Interface result

User Interface result - Access allowed

 

Related References


 

Recommended content

Still looking for help?
Loading
Mandate Specific Factors in Global Session and Authentication Policies