JonW.66258 (Customer) asked a question.
This documentation references "Authentication policy factor settings". https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/asop-authentication-scenarios.htm
It seems to indicate that possession factors can be configured "for each device", "for each session", or "every time". I do not see anything in the interface or other documentation that would allow the possession factors to be configured for a given authentication policy.
To some degree, this can be handled in the global session policy, but the documentation above is not for that. It is referencing a generic global session policy. Additionally, I don't see in the global session policy how a possession factor would be configured at the global session scope:
"Password + possession factor (for each session)
The user signs in. They're prompted for a password or an authenticator again when the session defined in the global session policy expires."
Additionally, why would this be password or an authenticator and not and?
Can you please help me better understand the above documentation?
Hi, @JonW.66258 (Customer)
Thank you for posting on our Community page!
Every app in your org has an authentication policy. The authentication policy verifies that users who try to sign in to the app meet specific conditions, and it enforces factor requirements based on those conditions.
Authentication policies share some conditions with global session policies, but they serve different purposes. A user who gains access to Okta through the global session policy doesn't automatically have access to their apps. You can create a unique policy for each app in your org, or create a few policies and share them across multiple apps. You can also use Okta preset policies for apps with standard sign-on requirements. If you decide later to change an app’s sign-on requirements, you can modify its policy or switch to a different policy.
You can set Password AND factor in any Authentication policy rule.
https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/add-app-sign-on-policy-rule.htm
2 factor types: To require users to provide two distinct factor types, choose one of these options.
You can also choose the Passwordless option where you can configure Okta FastPass.
For two-factor passwordless authentication options, see Configure Okta FastPass.
Earn Today: New Okta Community Badges Have Arrived
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
Hi Laura,
Thanks for the response, but that doesn't really answer my question.
For example, can you point me to how one might configure "Password + possession factor (for each session)" vs "Password + possession factor (for each device setting)" as stated in the documentation above?
Thanks!
Jon