About multifactor authentication

Multifactor authentication (MFA) is an added layer of security used to verify an end user's identity when they sign in to an application.

An Okta admin can configure MFA and require end users to verify their identity when accessing their Okta org, their applications, or both.

To learn more about admin role permissions and MFA, see Administrators.

MFA factor type comparison

Factor Type Security Deployability Usability

Phishing

Resistance

Real-Time

MITM Resistance

Passwords Weak Strong Strong Weak Weak
Security Questions Weak Strong Moderate Weak Weak
SMS / Voice / Email Moderate Strong Strong Moderate Weak
Push Verification Strong Strong Strong Moderate Moderate
YubiKey OTP Strong Strong Strong Moderate Weak
WebAuthn Strong Moderate Strong Strong Strong

Push verification, such as with Okta Verify Push, is more effective against traditional phishing than OTP. However, for stronger resistance, use a FIDO-based factor, such as WebAuthn, instead.

Okta allows admins to deploy YubiKeys in OTP mode, as a WebAuthn factor based on FIDO2 standards, or both.

Enable MFA factor types

  1. In the Admin Console, go to SecurityMultifactorFactor Types.
  2. For each factor type, select Active or Inactive to change its status. This setting determines whether you can enable the factor for your end users, depending on MFA factor enrollment policies.
  3. For each factor type, configure the available options according to your security requirements.

Softlock

You can configure Softlock for password policies and delegated authentication.

  • You can only enable and configure MFA automatic unlock in a password policy.
  • Customize the unlock period.
  • If you don't enable automatic unlock in a password policy, Okta doesn't enforce it.
  • Okta counts failed MFA challenges across all factor types. Users may fail MFA challenges across several factors before Okta locks their account.
  • Active Directory-sourced users can take advantage of the Okta Self Service feature to unlock their account. However, LDAP-sourced users must contact their administrators to unlock their Okta account.

See the Lock out and About lockouts sections in Configure a password policy for details.

Third-party MFA providers

In addition to Okta's own MFA method, Okta Verify, you can seamlessly use third-party MFA solutions from other providers.

See MFA factor configuration for a list of supported MFA factors.

Vendor Integration Type Note Supported Authentication Methods Documentation
Symantec VIP Native OTP Configuring Multifactor Authentication
Duo Security Native OTP, Push, Voice Configuring Duo Security
Google Authenticator Native OTP Configuring the Okta RADIUS Agent
YubiKey Native OTP, Push OTP Using YubiKey Authentication in Okta