Multifactor authentication
Multifactor authentication means that users must verify their identity in two or more ways to gain access to their account. They can be things such as passwords, answers to security questions, phones (SMS or voice call), and authentication apps, such as Okta Verify. In Okta, these ways for users to verify their identity are called authenticators.
Okta supports a wide variety of authenticators, which allows you to customize the use of authenticators according to the unique MFA requirements of your enterprise environment. You can also customize MFA enrollment policies, which control how users enroll themselves in an authenticator, and authentication policies and Global Session Policies, which determine which authentication challenges end users will encounter when they sign in to their account. For example, you can allow or block sign-ins based on the user's location, the groups they're assigned to, the authenticator they're using, and more, and specify which actions to take, such as allowing access or presenting additional challenges.
Steps to set up an authenticator
The following steps describe the workflow to set up most of the authenticators that Okta supports. See the topics for each authenticator you want to use for specific instructions.
- Enable the authenticator. Instructions are provided in each authenticator topic.
- Configure the authenticator. Each authenticator has its own settings.
- Add the authenticator to the authenticator enrollment policy and customize.
See About MFA authenticators to learn more about authenticators and how to configure them.
List of supported authenticators
| Authenticator | Factor type | Method characteristics | Description |
|---|---|---|---|
|
Possession Possession + Biometric* |
Hardware protected Device bound User presence |
Okta Verify is an authenticator app used to confirm a user's identity when they sign in to Okta or protected resources. Note:Okta Verify for macOS and Windows is supported only on Identity Engine orgs. |
|
|
Possession Possession + Biometric* |
Hardware protected Device bound User presence |
The Custom Authenticator is an authenticator app used to confirm a user's identity when they sign in to protected resources. |
|
|
Possession |
Device bound User presence |
You can add Custom OTP authenticators that allow users to confirm their identity when they sign in to Okta or protected resources. After you configure a Custom OTP and associated policies in Okta, end users are prompted to set it up by entering a code that you provide. |
|
|
Possession |
Device bound User presence |
Duo Security is an authenticator app used to confirm a user's identity when they sign in to Okta or protected resources. When integrated with Okta, Duo Security becomes the system of record for multifactor authentication. |
|
|
Possession |
User presence |
The Email authenticator allows users to authenticate successfully with a token (referred to as an email magic link) that is sent to their primary email address. |
|
|
Possession |
Device bound User presence |
Google Authenticator is an authenticator app used to confirm a user's identity when they sign in to Okta or protected resources. When Google Authenticator is enabled, users who select it to authenticate are prompted to enter a time-based six-digit code generated by the Google Authenticator app. |
|
|
Knowledge |
User presence |
The Password authenticator consists of a string of characters that can be specified by users or set by an admin. |
|
|
Possession |
User presence |
The SMS and Voice Call authenticators require the use of a phone. They send a code in a text message or voice call that the user enters when prompted by Okta. |
|
|
Possession Possession + Biometric* |
Device bound Phishing resistant User presence |
The Security Key or Biometric authenticator follows the FIDO2 Web Authentication (WebAuthn) standard. The user inserts a security key, such as a Yubikey, touches a fingerprint reader, or their device scans their face to verify them. |
|
|
Knowledge |
User presence |
The Security Question authenticator consists of a question that requires an answer that was defined by the end user. |
|
|
The factor types and method characteristics of this authenticator change depending on the settings you select. |
The Smart Card authenticator enables admins to require users to authenticate themselves when they sign in to Okta or when they access an app. |
||
| No options selected (software-based certificate): | |||
|
Possession + Knowledge |
Device bound Phishing resistant User presence |
||
|
Select only the Hardware option: |
|||
|
Possession |
Device bound Hardware protected Phishing resistant User presence |
||
|
Select only the PIN option: |
|||
|
Possession + Knowledge |
Device bound Phishing resistant User presence User verifying |
||
|
Select the PIN and Hardware options: |
|||
|
Possession + Knowledge |
Device bound Hardware protected Phishing resistant User presence User verifying |
||
|
Possession |
Device bound User presence |
Symantec Validation and ID Protection Service (VIP) is a cloud-based authentication service that enables secure access to networks and applications. You can add Symantec VIP as an authenticator option in Okta. |
|
|
Possession |
User presence |
Custom Identity Provider (IdP) authentication allows admins to enable a custom SAML or OIDC MFA authenticator based on a configured Identity Provider. End users are directed to the Identity Provider in order to authenticate and then redirected to Okta once verification is successful. |
|
|
Possession |
Hardware protected Device bound |
The YubiKey OTP authenticator allows users to press on their YubiKey hard token to emit a new one-time password (OTP) to securely log into their accounts. |
|
* Verification with these authenticators always satisfies at least one possession factor type. Based on the device used to enroll and the method used to verify the authenticator, two factor types could be satisfied. For example, a user who verifies with a security key that requires a PIN will satisfy both possession and knowledge factor types with a single authenticator.