About multifactor authentication
Multifactor authentication (MFA) is an added layer of security used to verify an end user's identity when they sign in to an application.
An Okta admin can configure MFA and require end users to verify their identity when accessing their Okta org, their applications, or both.
To learn more about admin role permissions and MFA, see Administrators.
MFA factor type comparison
| Factor Type | Security | Deployability | Usability |
Phishing Resistance |
Real-Time MITM Resistance |
| Passwords | Weak | Strong | Strong | Weak | Weak |
| Security Questions | Weak | Strong | Moderate | Weak | Weak |
| SMS / Voice / Email | Moderate | Strong | Strong | Moderate | Weak |
| Push Verification | Strong | Strong | Strong | Moderate | Moderate |
| YubiKey OTP | Strong | Strong | Strong | Moderate | Weak |
| WebAuthn | Strong | Moderate | Strong | Strong | Strong |
Push verification, such as with Okta Verify Push, is more effective against traditional phishing than OTP. However, for stronger resistance, use a FIDO-based factor, such as WebAuthn, instead.
Okta allows admins to deploy YubiKeys in OTP mode, as a WebAuthn factor based on FIDO2 standards, or both.
Enable MFA factor types
- In the Admin Console, go to .
- For each factor type, select Active or Inactive to change its status. This setting determines whether you can enable the factor for your end users, depending on MFA factor enrollment policies.
- For each factor type, configure the available options according to your security requirements.
Softlock
You can configure Softlock for password policies and delegated authentication.
- You can only enable and configure MFA automatic unlock in a password policy.
- Customize the unlock period.
- If you don't enable automatic unlock in a password policy, Okta doesn't enforce it.
- Okta counts failed MFA challenges across all factor types. Users may fail MFA challenges across several factors before Okta locks their account.
- Active Directory-sourced users can take advantage of the Okta Self Service feature to unlock their account. However, LDAP-sourced users must contact their administrators to unlock their Okta account.
See the Lock out and About lockouts sections in Configure a password policy for details.
Third-party MFA providers
In addition to Okta's own MFA method, Okta Verify, you can seamlessly use third-party MFA solutions from other providers.
See MFA factor configuration for a list of supported MFA factors.
| Vendor | Integration Type | Note | Supported Authentication Methods | Documentation |
|---|---|---|---|---|
| Symantec VIP | Native | OTP | Configuring Multifactor Authentication | |
| Duo Security | Native | OTP, Push, Voice | Configuring Duo Security | |
| Google Authenticator | Native | OTP | Configuring the Okta RADIUS Agent | |
| YubiKey | Native | OTP, Push OTP | Using YubiKey Authentication in Okta |