Okta Identity Engine

A set of customisable building blocks for any access experience

Organisations need a secure, out-of-the-box solution that can be customised to build trusted, tailored user journeys.

To create tailored, unique identity experiences, organisations have traditionally been faced with a choice:

Build a custom solution from scratch which takes time and may introduce security risks.
Use a pre-defined solution but compromise on the experience.

The Okta Identity Engine is a set of customisable building blocks for every access experience

Break apart pre-defined authentication, authorisation, and registration flows

Customers can create dynamic, context-based user journeys, unlocking the ability to address an unlimited number of identity use cases with minimal custom code. Use context about the user, device, app, network, and intent to inform the identity journey of any user, adapting that access experience accordingly. The Okta Identity Engine is made up of a sequence of individual Steps that can handle the entire user journey from registration to authentication to authorisation.

Identity Engine - building blocks for access
Customize authorization components

Customise the behavior of each step with Components

Components give you the ability to evaluate policies, trigger Hooks, publish events, prompt the user for action, or direct to an external service. Customisations can vary depending on the use case and the context applied. This means you can configure Okta to skip Steps in the engine. And, you can choose different Steps to run and skip for any app or at any point in the experience, creating a variety of identity sequences.

Customise user journeys

Based on the customisations applied, Okta can take further actions within each step to progress the user through their journey.

Email magic link authentication

Step up authentication

Gather more information

Identity verification or validation

Custom branding

Route to an external system


The ability to execute Hooks and publish events, give you the power to support infinite use cases while still leveraging the security guardrails of the Okta Identity Engine. Hooks add extensibility to the Okta Identity Engine, allowing you to add custom code to do modify inflight processes and notify external services. There are two types of Hooks:

  • Inline Hook - Allow you to add custom logic to a Component
  • Event Hooks - Allow you to kickoff downstream integrations based on events published in the Okta System Log
Identity Engine - hooks

Use cases enabled by the Okta Identity Engine

Passwordless users

Passwordless authentication using an email-based magic link

Allows organisations to eliminate the password. Rather than enrolling a password in an authentication sequence, organizations can use an email magic link to authenticate a user. Organisations can use a passwordless flow for some applications, but for others, require a stronger factor, such as email, push or WebAuthn.

Identity Engine Account Recovery

Flexible account recovery

Give your users more options to recover their accounts

Users can now reset their password with Okta Verify Push, in addition to Email or Phone (SMS, Voice Call) authenticators. If admins require a step up authentication, end users now can use any enrolled authenticator. This improves your end user's access experience, strengthens your security posture, and decreases your IT Help desk tickets.

Progressive profiling

Incrementally build customer profiles over the customer’s lifetime by adding progressive profiling for required and optional attributes

To optimise the user experience, enterprises can configure registration for less friction. Minimise initial enrollment with minimal fields to fill, while configuring a later enrollment to require that a user input additional information. For example, an ecommerce site may want to ask for an email address when a user first engages, but then ask for a home address and phone number before making a purchase.

Okta User Management Progressive Profiling 1

Limit initial registration forms to the bare minimum and delay asking users for additional information until necessary to reduce abandonment rates.

Okta User Management Progressive Profiling2

Ask for additional attributes later in the customer journey.


Customize branding based on app context

Per-app branding

Customise branding based on app context

Administrators can configure each sequence with separate branding to provide different experiences depending on how a user begins to use its services. For instance, a single hotel loyalty program serving multiple brands or a parent company with different subsidiaries can customise the look and feel of logins depending on a user’s hotel choice or employer.

App-level policies

Customise security policies

Create dynamic sign-on policies that are tailored for different applications based on the behaviour, risk level, and context of the user. For example, you may want to enforce a more stringent assurance requirements to gain access to a sensitive app, but relax those requirements if you have high confidence the access request is legitimate given the user’s past behaviour and current context.

Crafting trusted, tailored user journeys

Putting it all together, organisations can build unique access experiences that are deeply integrated with the rest of their technology stack. For example, a consumer-facing experience looking to minimise friction and abandonment during the registration process could create an experience asks the consumer to just register their name and email. Once registered, an Event Hook can automatically push that user into an email campaign in their email marketing software, Marketo.

Identity engine - Browsing apps
Identity Engine - Ready to transact

If the consumer then indicates greater engagement or now wants to access a more sensitive area of the customer experience, that new context of an existing user accessing a higher-risk app can be used in the Okta Identity Engine to tailor the next part of the user journey. For example, you may now want to validate the consumer’s email address and authenticate them with an email magic link. Further, you may choose to ask for additional information from the consumer, with progressive profiling, before authorising them to proceed.

Unlimited possibilities

But that’s just the beginning. With Okta Hooks and Okta Identity Engine, Okta can be securely customised to be the foundation for any digital experience imaginable. A selection of the use cases unlocked include:

  • Allow access to an app with no authentication
  • Register an email address only
  • Register a phone number only
  • Require only email and name on initial registration
  • Require mailing address prior to making a purchase
  • Authenticate a user with an email magic link
  • Never require enrollment of a password as a factor
  • Require enrollment in SMS as a factor prior to making a large checking account withdrawal
  • Fake email validation
  • Prevent fake account creation
  • Fraudulent auth check against business context
  • Different sign-in branding based on ecommerce sub-brand site
  • Different email branding based on ecommerce sub-brand site
  • Different sign-in branding based on subsidiary
  • Different email branding based on subsidiary
  • Add a user to a marketing drip campaign in Marketo after initial registration
  • Add a user to a marketing drip campaign in Marketo after accessing the shopping cart
  • Trigger an alert to PagerDuty on suspicious activity
  • Automatically identify a user based on browser and serve a personalized experience
  • Ask for user consent to store personal data on registration
  • Use a custom policy to determine if a user can be activated
  • Write custom import matching logic when importing users from HR
  • Write custom import matching logic when importing users from CRM
  • Detect username collisions when importing from any source and fix with custom logic
  • Send welcome email for new hires, outside of the Okta new account email
  • Give user a promotion to enter additional optional personal info, such as favorite food
  • Support product export regulations by validating user sign-up prior to purchase
  • Automated email when data changes on users profile (phone/address etc)
  • Use strong factor for password reset flow
  • Export/Write data to g-sheets
  • G-sheets as a master
  • Never store user PII data in Okta for MFA (e.g data residency requirements)
  • Notify admin on high API rates
  • Lock Okta account on PIV/CAC certificate revocation in CRL
  • Trigger Step up MFA in API AM for high security tasks/scopes
  • Prompt users to increase their security posture by enrolling in MFA

Interested in seeing sample applications and custom logic for these use cases and more? 
Check out the Okta Community Toolkit