Okta Verify for Admins
When a user signs in to their organization, the Okta Verify app prompts them to verify their identity in order to authenticate successfully. After an end user installs the app on their primary device, they can verify their identity by approving a push notification or by entering a one-time code.
Note: End users can only register one device with Okta Verify at a time. To register a new device, end users must reset their Okta Verify account and then open Okta Verify to add and register their new device.
Are you an end user looking to set up and use Okta Verify? See Okta Verify for End Users.
HealthInsight: Why is this task recommended?
This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.
Enable Okta Verify (with push when available) for end users to authenticate with a strong MFA factor.
Okta Verify General Flow
- Okta admin enables and configures Okta Verify in the admin console.
- End user signs in to their Okta org and is prompted to enroll with Okta Verify for the first time.
- End user enrolls their device with Okta Verify by scanning a bar code in their browser using the Okta Verify app.
- End user verifies their identity either by 1) requesting a push notification sent to their mobile device or by 2) entering a verification code.
- End user either approves push notification or enters verification code displayed in the Okta Verify app.
- After successful verification, end user logs in automatically to Okta, and is redirected to their account dashboard.
The Okta Verify factor can be enabled both at the org-level or at a group-level using multifactor policies.
To enable Okta Verify at an org-level:
- Sign in to the admin console.
- Navigate to Security > Multifactor. Okta Verify is selected by default.
- Set the status to Active.
- Under Okta Verify Settings, select any features you want to enable. Note that the feature list will vary based on the settings that are available for your org.
- Click Save to proceed with your settings.
Push notifications allow users to verify their identity with a single tap on their mobile device without the need to type a code. Users access their apps easily while retaining the same higher level of security. This feature is available for iPhone, Android, and Windows devices.
For more information about using Okta Verify Multifactor Authentication (MFA), see Multifactor Authentication.
After you enable Okta Verify with Push Authentication for your org (see Upgrade to Okta Verify with Push below) and set the appropriate policy, your end users are prompted to configure it for their account the next time they sign in to Okta. The device UI displays instructions to guide users through the configuration process, as described in the following sections. For the end user experience after enablement, see End User Experience After Enablement.
Note: If you need to rename your existing Okta subdomain for any reason, security dictates that your active end-user Okta Verify enrollments be reset. For more details on renaming subdomains, see Renaming Your Okta Subdomain.
If you want to prompt your users to upgrade to a version of Okta Verify that supports Push Authentication, first enable that functionality. When enabled, the next time your end users use Okta Verify, a Please update your profile screen displays with a button allowing them to immediately upgrade. Your end users can either upgrade or click Remind me later to continue without upgrading. If they chose to be reminded, a prompt is shown the next time they sign in.
This is an Early Access feature. Enablement is a two-step process involving (1) the Early Access Feature Manager and (2) contacting Okta Support. For details, see the procedure below.
Okta Verify relies on Risk Scoring to assess the risk level of end-user authentications. Okta assesses risk based on a number of factors, including details about the device and its location. If Okta assesses an authentication attempt to be high risk, end users are presented a Review button in Okta Verify allowing them to review details about the authentication attempt. End users can then tap either Yes, It's Me to access their Okta account after satisfying a simple verification challenge or No, It's Not Me to deny the authentication attempt. For details about the end user experience, see About the Review button and 3-number verification challenge.
To enable this experience for your end users:
- Ensure end users are running Okta Verify 4.4.0+ for iOS or Okta Verify 5.0.0+ for Android.
- Ensure Push Authentication is enabled for your org.
- In the Okta Admin Console, go to Settings > Features and enable Risk-based Authentication.
- Contact Okta Support and ask them to enable Risk-based Authentication for Okta Verify with Push for your org.
Review button functionality is not supported on Apple Watches. If the Review button appears on an Apple Watch when Okta detects an unusual sign-in attempt to an end user account, note that the options Yes, It's Me and No, It's Not Me do not appear after the user taps Review. To accept or reject the sign-in attempt, users must use Okta Verify on their mobile phone.
Apple Touch ID uses biometric technology to guard against unauthorized use of Okta Verify. You can configure an end-user fingerprint request, which appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently only available for iOS devices.
When Touch ID is enabled, your end users are prompted to configure Touch ID for their device during enrollment or authentication challenge. The device UI displays instructions to guide users through this configuration process, as described in End User Configuration for Okta Verify.
To enable Touch ID for your org:
Navigate to Security > Multifactor. Okta Verify is selected by default.
Under Okta Verify Settings, click Edit.
Select Require Touch ID for Okta Verify.
Note: Enabling Touch ID will not affect end users that authenticate with non-Touch ID devices.
If your end users are already enrolled in Okta Verify with Push, and you simply enable Touch ID for your org, there is very little setup required for your users. The next time they authenticate with Push, the response depends on whether their fingerprint has been captured by the native iOS device.
- If the end users' fingerprint has not been captured by the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID Required screen on their device (as shown in Step 1 below).
- If their fingerprint has been captured and saved on the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID for Okta Verify screen on the device (as shown in Step 3 below).
This is an Early Access feature. To enable it, please contact Okta Support.
For improved security on Android, enable Use Hardware Key Storage on Android via Okta Verify Settings. Enabling this feature allows the implementation of security protocols using access-controlled, hardware-backed keys based on the Federal Identity, Credential, and Access Management (FICAM) architecture.
This is an Early Access feature. To enable it, please contact Okta Support.
The Federal Information Processing Standards (FIPS) is a set of technical requirements that were developed by the United States federal government to establish computer security guidelines for government agencies, corporations, and organizations.
To ensure secure interoperability based on the FIPS standards, Okta Verify for mobile uses FIPS 140-2 validation for all security operations when enabled in the admin dashboard. We also satisfy FedRAMP FICAM requirements by relying on FIPS validated vendors.
Mobile Device Coverage
Okta uses FIPS-validated vendors such as Apple and Google to ensure that Okta Verify and our backend infrastructure uses FIPS-validated technology. As a result, our implementation provides validated support for the following devices:
- Apple iOS mobile devices running iOS 7 and higher
- Android mobile devices running Android 6 and higher Note for Android devices: Once this feature is enabled, devices are FICAM-compliant only if end users have configured and set a secure pin on their devices.
Enable FIPS-Mode Encryption
From the admin console:
- Navigate to Security > Multifactor. The Factor Types screen appears with Okta Verify as the default selection.
- Under Okta Verify > Okta Verify Settings, click Edit.
- To enable, select Enable FIPS-Mode Encryption.
- Click Save once you've made your changes.
To use Okta Verify with Push in conjunction with the Okta RADIUS agent, you must upgrade to version 2.1.5 or later of the agent. For the version history and the current agent version, see Okta RADIUS Server Agent Version History. The previous steps allow for an org-level update. To enable Okta Verify with Push on a per-group level, see Multifactor Policies.
- Okta Verify Overview
- Okta Verify for End Users
- Okta Verify Release Notes
- Okta Mobile
- Multifactor Authentication