Prompt for an MFA factor when a user is outside the US
On This Page
In addition to the Okta Sign-On Policy, there is a sign-on policy for each application that determines the extra levels of authentication that you may want performed before a user can access an application. The following are step-by-step instructions to configure an App sign-on policy to prompt a user for an MFA factor when the user is outside the United States.
Note: This example assumes that you have already set up a Dynamic Zone for the United States.
From the Developer Console, select Applications.
Select the app that you want to configure a sign-on policy for. In this example, we are using a Web App.
Click Sign On and scroll down to the Sign On Policy section.
Note: Some options described in this section may not be available in your org. To enable them, contact Okta Support.
Click Add Rule.
Enter a Rule Name such as Prompt for an MFA factor when a user is outside the US.
Select who the rule applies to in the People section. In this use case example, select The following groups and users:.
In the Groups box that appears, enter the group that you want this rule to apply to. In this example, we are using Everyone. You can also add specific users that you want to include in the Users box.
If you want to exclude specific groups and users from the policy rule, select Exclude the following users and groups from this rule: and then specify the groups and users.
Specify the location to which you want the policy to apply in the LOCATION section of the dialog box. In this example, select In Zone.
In the Network Zones box that appears, enter the name of the zone that you want to apply, and then add it when it appears in the list. In this example, we are adding the network zone for the United States that we suggested you create before starting the steps in this guide.
In the CLIENT section, clear the platform conditions that you don't want the rule to apply to. In this example, leave the default of all platforms selected.
For this use case, in the ACTIONS section, leave the default of Allowed for the When all the conditions above are met, sign on to this application is drop-down box.
Select the Prompt for factor check box to require users who are outside of the United States to choose an MFA option for additional authentication.
Note: The Multifactor Settings link takes you to the Multifactor Authentication page, where you can add factors.
Then, specify how frequently you want the users to be prompted. Select Once per session for this use case.
Note: While you can configure your App sign-on policies to prompt end users for MFA, be aware that legacy protocols such as
IMAPdon't support MFA even if MFA is configured.