The MFA Factor Sequencing feature is no longer available for new activations. No further fixes or enhancements will be provided, and support for this feature is limited to security vulnerability remediations only. For similar functionality, please upgrade to Okta Identity Engine and use the Authentication method chains feature. See Upgrade to Okta Identity Engine or contact Okta Support.
Why are we deprecating Factor Sequencing in Classic Engine?
-
The Factor Sequencing feature in Classic Engine was primarily used to support passwordless logins. Passwordless authentication is available in Identity Engine, and we encourage customers to upgrade to Identity Engine to benefit from its enhanced capabilities around passwordless login.
-
Factor Sequencing in Identity Engine was created to help customers upgrade from Classic Engine to Identity Engine. It was introduced before the Authentication Method Chains feature was available in Identity Engine. Factor Sequencing in Identity Engine is limited and does not support other security features available in Identity Engine, such as Okta FastPass.
-
Factor Sequencing is unavailable when deploying an identity provider or Active Directory Single Sign-On (ADSSO) sign-in flows. Users are not prompted to authenticate with factors in the sequence when signing in to Okta using these flows.
What are the benefits of the Authentication Method Chains?
Authentication Method Chains enable the requirement of users to authenticate with security methods in a specified order. They also support advanced security methods in Identity Engine, such as Okta FastPass. Specify strong authentication constraints, such as phishing resistance, hardware protection, and biometric verifications, for each step in a chain. The re-authentication frequency for each step in a chain can also be granularly configured.
Migrate from Factor Sequencing to Authentication Method Chains
Migrating to Authentication Method Chains from Factor Sequencing involves various steps, depending on the use case.
Before beginning
If the org is running Classic Engine, upgrade it to Identity Engine. After the upgrade, do the action that relates to the use case.
Use case 1
When using Factor Sequencing in the Global Session Policy (GSP), there are no custom applications that use the authn API.
Action
-
Configure the Authentication Method Chains in the authentication policies mentioned in the Authentication method chain documentation.
-
Enable the Any factor used to meet the Authentication Policy requirements option in the Establish the user session with section in the GSP, as mentioned in the Add a global session policy rule documentation.
Use Case 2
Using Factor Sequencing chains in the GSP and have custom applications using the authn API.
Action
-
Configure the Authentication Method Chains on the authentication policies as mentioned in the Authentication method chain documentation.
-
Enable the Any factor used to meet the Authentication Policy requirements option in the Establish the user session with section in the GSP, as mentioned in the Add a global session policy rule documentation.
-
Migrate the custom applications to use either Direct Auth API or OKTA SDKs in place of the authn API.
Use Case 3
Factor Sequencing is enabled, and no chains are configured in the GSP, but there are custom applications that use the authn API.
Action
-
Option 1: Configure the custom applications to use either the Direct Auth API or OKTA SDKs.
-
Option 2: To continue using the authn API, make the changes shown in the sample to ensure that the dependency on Factor Sequencing is removed.
When making the authn request API call, ensure that the password is provided in the call to the authn API, along with the username, as shown below:
{
"username": "userName",
"password": "*******",
"options": {
"multiOptionalFactorEnroll": true,
"warnBeforePasswordExpired": true
}
}
