The Okta Verify application must be installed on the device since it is used for silent checking and for managing the device's initial setup.
This login flow only applies if the end-user has logged in to FastPass at least once. The end user can choose another MFA (like SMS, etc.).
- Okta Identity Engine(OIE)
- Device Trust 2.0 / Device Integrations
- Multi-Factor Authentication (MFA)
For the device to be evaluated, at least one of the policy rules must require the device's status to be Registered or Registered and Managed.
If there are Policies/Rules for OIE in this sample Scenario:
App Authentication Policy
Rule 1: Allow Users = Registered, Managed.
Rule 2: Deny Users = Any, Not Managed.
If no policies/rules are created, it will fall under the Default Policy that allows any user to log in.
Global Session Policy
MFA = Required
Establish the user session with = Any factor that meets the Authentication Policy requirements.
Not Managed Device Behavior (Login Flow)
- Enters username
- Prompted to Sign in with Okta FastPass, and an Error shows:
Managed Device Behavior (Login Flow)
- Enter Username.
- Click Next.
- Enter the Password and click Verify.
- Prompted with which MFA to use: FastPass, Email, Phone, etc. (Whatever is set to optional or required).
- Select Phone (SMS).
- Receive a code via SMS.
- Enter Code.
- Successfully Logs in.
NOTE: Users need to log in with their usernames to choose other MFA options besides FastPass.
Conclusion
Okta System Log shows a successful log-in using Phone (SMS) as MFA instead of FastPass and shows that it is a Managed/Registered device.
