A user successfully enrolls in Okta Verify and authenticates from a country that the sign-on policies block. Users bypass these policies by using a VPN to appear inside an allowed network zone. Prevent this behavior by configuring an enrollment policy rule that denies authenticator enrollment for IP addresses outside the allowed zone.

• Okta Verify
• Okta Identity Engine (OIE)
• Blocked Country

A VPN masks the actual location of the user, making the connection appear to originate from an allowed network zone.

How is Okta Verify enrollment restricted to specific network zones?

Configure the authenticator enrollment policy to deny enrollment for users outside the allowed IP zone.

1. Go to Authenticators > Enrollment and identify the applicable enrollment policy for the affected users.
2. Edit the relevant rule intended for these users.
3. Locate the User's IP is condition, choose Not in Zone, and specify the allowed IP zone.
4. Select Deny enrollment of all authenticators.
   • Verify the configuration matches the provided example.