Okta On-Prem MFA agent (formerly RSA SecurID)

The Okta On-Prem MFA agent (formerly named the RSA SecurID agent) acts as a RADIUS client. It communicates with your RADIUS-enabled on-premises MFA server, which includes RSA Authentication Manager for RSA SecurIDs. This allows your organization to use second factor challenges from various on-premises multifactor authentication tools.

To sign in, end users must use an RSA hardware dongle device or soft token to generate an authentication code to sign into your org. The numbers are generated using a built-in clock and the card's factory-encoded random key.

If you're currently using the RSA SecurID agent (v. 1.1.0 or below), you should upgrade to the latest version of the On-Prem MFA agent at your earliest convenience. See Okta On-Prem MFA Agent Version History.

Before you begin

Before you set up the On-Prem MFA agent in Okta, set up the RADIUS server settings for your secure OAuth vendor.

Supported operating systems

You can install the Okta On-Prem MFA agent on the following platforms:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Typical workflow



Download the agent Download the Okta On-Prem MFA Agent from the SettingsDownloads page in your Okta org. The agent is in the MFA Plugins and Agents section.
Add and configure On-Prem MFA/RSA SecurID Configure required MFA factors.
Disable SSL Pinning For agents on a network containing a web security appliance, it might be necessary to disable SSL pinning.
Install On-Prem MFA agent Install the On-Prem MFA agent.
Configure high availability Install the agent on more hosts for high availability purposes.
Configure verbose logging Optional. Use verbose logging for testing and debugging purposes.

Related topics

Uninstalling and reinstalling the agent