Okta can reject an authentication if the factors provided do not satisfy all the "Authentication policy" conditions, causing the user to be prompted to select the authenticator again until Okta accepts the factors provided since there are scenarios where allowed factors do not satisfy the Authentication Policy Rules since factor's properties can differ from the OS used or in case of WebAuthN by the form of WebAuthN used.
- Okta Identity Engine (OIE)
- Security
- Multi-Factor Authentication (MFA)
When the MFA factor used in the authentication flow does not satisfy the condition of the Authentication Policy, the user might experience being prompted for MFA in a loop. The cause could be that either the Any 2 factor types must have a Knowledge / Biometric factor type and a Possession factor enrolled, or the Possession factor is not satisfying the "Factor Possession constraints".
Most common scenarios are :
- Having two Possessions factors enrolled in an Any 2 factor types authentication policy, but are unable to satisfy the Knowledge/ Biometric condition
- The possession factor does not satisfy the Possession factor constraints in every scenario (for example, not all forms of WebAuthN are phishing resistant)
Review the Authentication policy and confirm that:
- The factors that are used can satisfy both Knowledge/Biometric factor types and Possession factor type listed in the "User must authenticate with Any 2 factor types" section of the authentication policy.
- The Possession factor constraints are satisfied, based on the Multi-Factor authentication document.
