You can configure how users authenticate with Okta Verify: by approving push notifications, or by matching numbers. You can enable Okta Verify at the org level or group level by using multifactor policies.
Okta Verify is supported on several operating systems. See Supported platforms for Okta Verify.
- In the Admin Console, go to Security > Multifactor.
- On the Factor Types tab, select Okta Verify.
- Set the status to Active.
- In Okta Verify Settings, click Edit, and then select the features you want to enable. Available features vary by org setting:
- Enable Push Notification: With Push Notification, Okta sends a prompt to the Okta Verify app on the user's mobile device. The user taps the prompt on their mobile device to verify their identity. This feature is available for iPhone, Android, and Windows mobile devices, but not for iPod Touch devices. See Push Notification.
- Require or Touch ID or Face ID for Okta Verify (only on iOS): iOS device users may use the Touch ID or Face ID functionality of their device to verify themselves with Okta Verify. See Apple Touch ID and Face ID.
- Enable FIPS-Mode Encryption: Apply FIPS-mode encryption to enhance the protection of Okta Verify data. See About FIPS-mode encryption.
- Number Challenge: Number challenge helps mobile device users avoid accepting fraudulent Push notifications. Configure them when you want Okta Verify to present a number challenge: never, always, or for high risk sign-in attempts only.
- Use hardware key storage for Android devices:
This is an Early Access feature. To enable it, please contact Okta Support.
To enhance security on Android devices, enable this setting. This allows you to implement the Federal Identity, Credential and Access Management (FICAM) security architecture, which applies access control and hardware protection to keys stored on Android devices.
- Click Save.
After you enable Okta Verify with Push Notification for your org, your end users are prompted to configure it for their account the next time they sign in to Okta. The Okta Verify app guides them through the configuration process.
Users can upgrade immediately by pushing the button, or continue without upgrading by clicking Remind me later. If they choose to be reminded, a prompt appears the next time they sign in.
For details about the end user experience, see Okta Verify (Documentation for end users).
Okta Verify end-user enrollments are associated with your Okta subdomain. If you need to rename your Okta subdomain, you must also reset all of your active end-user Okta Verify enrollments. See Renaming Your Okta Subdomain.
Number challenge helps mobile device users avoid accepting fraudulent Push notifications. It works with Android, iOS and Apple Watch devices, which must be enrolled in Okta Verify in an org in which Push Notification is enabled.
If you enabled Push Notification with Number Challenge, users validate their sign-in attempt by tapping Yes, It’s Me in Okta Verify. They then see three numbers on their device. The user must tap the same number that appears in their browser. Users are signed in only if they tap the correct number. If the user taps No, It's Not Me, the sign-in attempt is blocked and they can't sign in.
This feature isn't supported in LDAPi and RADIUS environments: the three numbers of the challenge appear in the Okta Verify app, but the matching number doesn't appear in the end user's desktop browser. For these environments, configure a different MFA factor and not Okta Verify.
- Verify that your org uses a customized Sign-In Widget with a version number of 3.3.0 or later.
- If your org calls the Authentication API directly, update your code to handle the number challenge API response. See Response example (waiting for 3-number verification challenge response).
See the end-user documentation: Sign in with an Okta Verify push notification (iOS) or Sign in with an Okta Verify push notification (Android).
You can combine Number Challenge functionality with Risk Scoring to enhance the level of security for your Okta org and guard against malicious sign-in attempts.
When Risk Scoring is enabled, Okta assesses risk based on criteria such as device details and location, and assigns a risk level to each Okta sign-in attempt. Admins can customize a sign-on policy rule to respond in different ways based on the assigned risk level. For example, Okta may prompt users for multifactor authentication if the sign-in attempt is considered high risk. See Risk scoring for instructions.
To use Okta Verify with Push and the Okta RADIUS agent, you must upgrade the Okta RADIUS agents to version 2.1.5 or later. To find the current agent version, see Okta RADIUS Server Agent Version History for instructions.
Apple Touch ID and Face ID use biometric technology to guard against unauthorized use of Okta Verify. You can configure an end-user fingerprint or facial recognition request, which appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently only available for iOS devices.
When Touch ID and Face ID are enabled, your end users are prompted to configure Touch ID or Face ID for their device when they enroll or when prompted to authenticate. The device guides users through this configuration process, as described in the end-user documentation. See Authenticate with Okta Verify on Android devices or Authenticate with Okta Verify on iOS devices.
If your end users are already enrolled in Okta Verify with Push and you enable Touch ID and Face ID for your org, minimal setup is required. The next time they authenticate with Push, the response depends on whether their fingerprint or facial image has been captured by the iOS device:
- If the end user's fingerprint or facial image has not been captured by the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID Required or Face ID Required screen on their device.
- If their fingerprint or facial image has been captured and saved on the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID for Okta Verify or Face ID for Okta Verify screen on the device.
Enabling Touch ID or Face ID only affects users who authenticate with devices that use Touch ID or Face ID.
The Federal Information Processing Standards (FIPS) is a set of technical requirements that were developed by the United States Government to establish computer security guidelines for government agencies, corporations, and organizations.
When FIPS-mode encryption is enabled, Okta Verify uses FIPS 140-2 validation for all security operations to ensure secure interoperability.
Okta also meets FedRAMP FICAM requirements by relying on FIPS-validated vendors.
Mobile device coverage
- Apple iOS devices running iOS 7 or higher
- Android devices running Android 6 or higher
When this option is enabled, Android devices are FICAM-compliant only if end users have configured and set a secure PIN on their devices.