Okta Access Denied Due to Unsatisfied Policy Requirements
Last Updated:
Overview
Okta denies access when the authentication policy requires an authenticator or constraint that the enrollment policy does not allow, or the current authenticator setup cannot satisfy. Compare the authentication policy with the enrollment policy, then require or allow at least one matching authenticator and correct any Okta Verify user verification mismatch.
The user cannot access Okta or an application and sees the following System Log event:
Access has been denied because the policy requirements could not be satisfied by the users’ current set of available authenticator enrollments
Applies To
- Okta Identity Engine (OIE)
- Enrollment policy
- Authentication Policy
Cause
Okta evaluates the enrollment policy at each sign-in to determine which authenticator can satisfy the authentication policy requirements, including factor count and possession factor constraints.
Common causes include:
- The authentication policy requires a factor that the enrollment policy does not allow.
- The possession factor constraints cannot be satisfied by the authenticator in its current form. This issue commonly affects phishing-resistant requirements because not all authenticator forms are phishing-resistant.
For Okta Verify, only FastPass is phishing-resistant.
NOTE: WebAuthn (FIDO 2) and Okta FastPass, which comes with Okta Verify, are phishing-resistant authenticators. For more information, see Phishing-resistant authenticator enrollment.
- Okta Verify user verification settings are out of sync with the device settings, so the policy requirements cannot be satisfied. Okta denies access with the same error. A common example occurs when enrollment is set to Preferred and the user skips enabling either the personal identification number (PIN) or biometrics, but the authentication policy requires verification with either the PIN or biometrics.
Solution
How is the policy requirement issue resolved?
These steps identify the policy mismatch and align the allowed authenticators with the required authentication methods.
- Go to Security > Authentication Policy.
- Search for the application authentication policy name.
- Open an existing rule or create a new rule.
- Check Authentication methods and identify the required factors and constraints.
The next steps verify that the enrollment policy allows the required authenticators.
- Go to Security > Authenticators > Enrollment.
- Select the authenticator policy name.
- Review Authenticators.
- Confirm that at least one authenticator required by the authentication policy is set to required or optional in the enrollment policy.
These additional checks address common authenticator-specific issues.
- Confirm that the evaluated enrollment policy matches the intended policy because Okta evaluates enrollment policies by priority.
- Enroll the user in the required authenticator, or reset the authenticator if the current enrollment does not satisfy the policy.
- Check migrated users from the Okta Classic Engine who configured Okta Verify to use only one-time passwords (OTPs). Confirm that Push and FastPass are configured when the policy requires those methods, and confirm that Okta Verify is available on the desktop device when required.
- Set Okta Verify to Required in the authentication policy when the policy requires PIN or biometrics for user verification, and the current settings are out of sync.
