What would trigger step-up authentication in Okta?

Step-up authentication in Okta is designed to enhance security by requiring additional verification under certain conditions. One of the key triggers for this heightened authentication requirement is accessing resources from a location that is considered risky, such as a blocklisted IP range.

When a user attempts to log in from an IP address that is on a blocklist, it signifies that the request may be coming from a potentially harmful or untrusted source. Therefore, to protect sensitive information and ensure that the access request is legitimate, Okta will prompt for additional authentication, which can include methods like multi-factor authentication (MFA).

This is a proactive measure to prevent unauthorized access, particularly in scenarios where the risk is heightened due to location-based threats. Other choices, like logging in from a familiar device or enabling single sign-on, do not inherently trigger step-up authentication, as they are considered lower risk. Changing a user password may also not automatically necessitate step-up authentication unless there are other risk factors involved.