How can an Okta Admin enforce user step-up authentication requirements when an employee uses a new device?

Enforcing user step-up authentication requirements when an employee uses a new device is achieved through the creation or modification of multi-factor authentication (MFA) enrollment policies. MFA enrollment policies allow administrators to define specific conditions under which users are required to authenticate using additional factors, such as a one-time password or biometric data, based on the risk associated with new devices.

When an employee logs in from a device that has not been previously recognized, the MFA policy triggers a step-up authentication. This additional layer of security ensures that even if an authentication attempt is made from a familiar username and password, the user must provide further proof of their identity due to the unrecognized device.

This approach helps protect user accounts from potential unauthorized access that could occur if someone gains access to the user's credentials. In contrast, other options such as group rules or LDAP interface settings do not specifically address device recognition for MFA enforcement, making them unsuitable for step-up authentication requirements. Profile enrollment policies are also not directly related to managing or enforcing MFA based on new device usage.