About Multifactor Authentication

Multifactor Authentication (MFA) is an added layer of security used to verify an end user's identity when they sign in to an application.

An Okta admin can configure MFA at the organization or application level. If both levels are enabled, end users are prompted to confirm their credentials with factors both when signing in to Okta and when accessing an application.

To learn more about admin role permissions and MFA, see Administrators.

MFA factor type comparison

Factor Type Security Deployability Usability

Phishing

Resistance

Real-Time

MITM Resistance

Passwords Weak Strong Strong Weak Weak
Security Questions Weak Strong Moderate Weak Weak
SMS / Voice / Email Moderate Strong Strong Moderate Weak
Push Verification Strong Strong Strong Strong Moderate
YubiKey OTP Strong Strong Strong Moderate Weak
WebAuthn Strong Moderate Strong Strong Strong

Push verification, such as with Okta Verify Push, is more effective against traditional phishing than OTP. However, for stronger resistance, use a FIDO-based factor, such as WebAuthn, instead.

YubiKeys can be deployed in OTP mode and/or as a WebAuthn factor based on FIDO2 standards.

Enable MFA factor types

  1. In the Admin Console, go to Security > Multifactor > Factor Types.
  2. For each factor type, select Active or Inactive to change its status. This setting determines whether the factor type can be enabled for end users, depending on MFA factor enrollment policies.
  3. For each factor type, configure the available options displayed based on your security requirements.

Softlock

Softlock can be configured for password policies and can also be used for delegated authentication.

  • MFA autounlock can only be enabled and defined in a password policy.
  • The unlock period can customized.
  • If autounlock is not enabled in the password policy, it won't be enforced at all.
  • This lockout counter is factor-specific; any attempts on one factor will not affect the lockout counter for another factor.
  • Active Directory-sourced users can take advantage of the Okta Self Service feature to unlock their account. However, LDAP-sourced users must contact their administrators to unlock their Okta account.

See the Lock out and About lockouts sections in Configure a password policy for details.

Third-Party MFA Providers with Okta

Okta's native MFA method, Okta Verify, balances ease of use with security. However, sometimes circumstances dictate your choices. Feedback from hundreds of Okta customers currently using Okta for MFA exposed a number of scenarios where a third-party MFA provider was needed. Some customers had a pre-existing investment in a legacy MFA provider and were wary of the cost and effort in changing their user experience. Others required the high-level assurance that hardware tokens can deliver for a subset of privileged users. Still others were in a state of transition—eager to adopt Okta Verify, but reluctant to migrate from their old provider too abruptly.

While authentication methods do matter, they are only a part of the story with Okta. Our flexible policy framework, catalog of thousands of app integrations, and contextual access control allow our customers to broadly deploy MFA across their organizations. You are not restricted to Okta Verify—various third-party authentication methods are compatible and seamless with the Okta identity platform. Okta can even support multiple factors simultaneously, allowing organizations to migrate between factors or support heterogeneous user environments.

This is why Okta expertly supports several third-party MFA providers. Click to view a table listing supported providers and details about their integration.

Vendor Integration Type Note Supported Authentication Methods Documentation
Symantec VIP Native These integrations are built upon the providers’ APIs or WebSDKs. They vary in feature support because not all features are similarly accessible. OTP Configuring Multifactor Authentication
Duo Security Native   OTP, Push, Voice Configuring Duo Security
Google Authenticator Native   OTP Configuring the Okta RADIUS Agent
YubiKey Native   OTP, Push OTP Using YubiKey Authentication in Okta