This article explains why users enrolled in Okta Verify are denied access to an application when authenticating with a username and password. This situation occurs when specific authentication policy rules are in place and Okta is unable to probe for device context.
- Okta Verify
- Authentication Policies
- Service Accounts
- Android
- iOS
- macOS
- Windows
- Okta FastPass
- Okta Identity Engine (OIE)
Users are denied access because Okta cannot probe for device context under the following specific authentication policy configuration, particularly when a service account is involved and users authenticate with only a username and password:
- Rule 1: A non-service account, signing in with a device that is either registered and not managed or registered and managed, is granted access with any one authentication factor.
- Rule 2: Any service account, signing in from any device, can access the app with any two authentication factors.
- Rule 3: A catch-all rule denies all other access attempts.
When users authenticate using only a username and password, Okta Verify does not provide the necessary device context to satisfy the conditions of Rule 1 or Rule 2 for service accounts, leading to the denial of access based on Rule 3.
To work around this issue, enable Okta FastPass and instruct users to use it for application sign-in.
- Enable Okta FastPass in the authentication policies.
- Ensure the Show the "Sign in with Okta FastPass" button checkbox is selected in the relevant policy settings (typically found when configuring authenticators or identity provider routing rules).
- Instruct users to select the Sign in with Okta FastPass button when they sign in to applications.
