I’ve set up a custom OIDC Identity Provider (IdP) as a possession factor and created a new authenticator mapped to this custom IdP. After enabling the necessary Early Access features, I can now define authentication policies for specific applications that require my custom authenticator as a possession factor.
However, in some cases, I want to enforce both my custom authenticator as a possession factor and at least one additional factor, such as TOTP or Push. The issue is that when multiple factors are enabled (e.g., my custom authenticator and TOTP), the policy allows users to authenticate using any of the enabled factors instead of requiring multiple factors.
Is there a way to mandate the use of multiple possession factors within authentication policies? If not, what are the best practices or possible workarounds to achieve this?
Sorry for late reply. I am checking the options on my screen and I do not see Authentication method chain
Do we have to enable some beta feature to be able to see the option?
This feature should be Generally Avaiable for Production tenants. If you are using a paid tenant that you believe should have this feature enabled, you can reach out to our support team via the Help Center for assistance.
Note that support is unable to enable any features in Developer Free tenants.
@andrea Thanks for quick turnaround. We are using Developer free tenants because we are testing an integration feature for our customers using Okta. Is there any chance we can get this feature enabled for us until we complete our tests?
