Is it possible to configure Okta so that user could use different credentials? For example, email/password, phone number + push or sms of some other custom authentication mechanism (let’s say, fingerprint scanner). In other words, we have two needs here:
- we need to be able to support different authentication mechanisms for different situations. Sometimes, we could let user choose one, sometimes it is defined by context (application type, for example).
- we need to be able to add custom authentication mechanisms and use them in specific client applications.
Hi @kit! You may want to review our MFA options here Multifactor Authentication (MFA) | Okta in addition App Level MFA App-level MFA | Okta.
I understand how MFA works, but I’m not talking about MFA. I’m talking about being able to use different credentials or authenticators for the first factor. For example, for one application we use email/password + MFA, for another one phone/password + MFA, for yet another one case — custom biometric authenticator + MFA. This means, that we must be able:
- to have different authenticators, including pluggable custom ones
- select which authenticator (first factor) to use for the first factor on per/application bases
- in some cases allow user to select which credentials to use: email/password or phone/password, or account id/password. I often see this case in banks.
It is possible?
@kit thanks for clarifying - you could try application sign-on policies - Configure an app sign-on policy | Okta.
Hi @kit there’s an nearly Access feature in Okta traditional called Factor Sequencing which does some of what you’re after. You can construct global sign in policies which chain authentication options allowing (for example) login with a password or sms. You always need the users username so Okta can work out which authentication factors are available for the user.
It’s enabled via support but note it’s EA and support levels may vary.
OIE is really where more flexible auth features will become available. You probably will still need a username though.