Configure Okta Verify

You can enable the Okta Verify factor at the org level or at group level by using multifactor policies.

Enable Okta Verify at org level

  1. Sign in to the Admin Console.
  2. Go to Security > Multifactor. Okta Verify is selected by default.
  3. Set the status to Active.
  4. Screen capture of the Okta Verify page in the Admin Console

  5. Under Okta Verify Settings, select any features you want to enable. Note that the feature list varies based on the settings that are available for your org.
  6. Click Save to proceed with your settings.

Enable Push Authentication

With Push notifications, users verify their identity with a single tap on their mobile device without the need to type a code. Users access their apps easily while retaining the same higher level of security. This feature is available for iPhone, Android, and Windows devices.

For more information about using Okta Verify Multifactor Authentication (MFA), see Multifactor Authentication.

After you enable Okta Verify with Push Authentication for your org (see Upgrade to Okta Verify with Push) and set the appropriate policy, your end users are prompted to configure it for their account the next time they sign in to Okta. The device UI guides users through the configuration process. For details about the end user experience after enablement, see Okta Verify (Documentation for end users).

Note: If you need to rename your existing Okta subdomain for any reason, security dictates that your active end-user Okta Verify enrollments be reset. For more details on renaming subdomains, see Renaming Your Okta Subdomain.

Upgrade to Okta Verify with Push

If you want to prompt your users to upgrade to a version of Okta Verify that supports Push Authentication, first enable that functionality. After enabling Push Authentication, the next time users use Okta Verify, a Please update your profile message appears. Users can upgrade immediately by pushing the button, or continue without upgrading by clicking Remind me later. If they chose to be reminded, a prompt is shown again the next time they sign in.

Note

Push notifications aren't available for iPod Touch devices.

Enable Number Challenge with Okta Verify with Push

You can enable number challenge to help mobile device users avoid accepting fraudulent push notifications sent by unauthorized people.

Note

Number challenge works with Android, iOS, and Apple Watch users enrolled in Okta Verify with Push.

How it works

If you’ve set the feature to present a number challenge to users:

  1. An Android or iOS user enrolled in Okta Verify with Push tries to access a protected resource.

  2. A Review button appears in Okta Verify allowing the user to review details about the sign-in attempt.

  3. The user can validate the sign-in attempt by tapping Yes, It's Me and then select a number that matches a number shown in the sign-in instructions. Verification succeeds only if the numbers match. This ensures that the sign-in attempt was initiated by the user and not an unauthorized person. Optionally, the user can tap No, It's Not Me to deny the sign-in attempt.

For more about the end user experience, see the end-user documentation: Sign in with an Okta Verify push notification (iOS) or Sign in with an Okta Verify push notification (Android).

Before you begin

  • This feature is not supported in LDAPi and RADIUS environments. The 3-number challenge appears in the Okta Verify app but the matching number does not appear in end users' desktop browser. In this case, configure an MFA factor other than Okta Verify.

  • Ensure users can see the number challenge instructions:

Start this task

  1. In the Admin Console, go to Security > Multifactor.

  2. In the Factor Types, tab click Okta Verify.

  3. In Okta Verify Settings, click Edit.

  4. Make sure Enable Push Notification is selected.

  5. In the Number challenge section, select an option:
    • Never: (Default setting.) Users are never presented a number challenge regardless of the risk level of the authentication attempt.
    • Only for high risk sign-in attempts: Users are presented a number challenge only if the sign-in attempt is assessed to be high risk (see Risk Scoring). Okta assesses risk based on a number of factors, including details about the device and its location.
    • All push challenges: Users are presented a number challenge with all Okta Verify push challenges regardless of risk level.
  6. Click Save.

About Risk Scoring

You can combine the number challenge functionality described above with Okta's Risk Scoring capability to increase the level of security protecting sign-ins to your Okta org. Okta assesses risk based on a number of criteria, including details about the device and its location. When enabled, Risk Scoring assigns a risk level to each Okta sign-in, and admins can configure a sign-on policy rule to take different actions based on the risk level of the sign-in, such as prompting for multifactor authentication if the sign-in is considered high-risk. See Risk Scoring for instructions.

Enable Apple Touch ID

Apple Touch ID uses biometric technology to guard against unauthorized use of Okta Verify. You can configure an end-user fingerprint request, which appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently only available for iOS devices.

  1. In the Okta Admin Console, go to Security > Multifactor. Okta Verify is selected by default.

  2. Under Okta Verify Settings, click Edit.

  3. Select Require Touch ID for Okta Verify.

  4. Click Save.

When Touch ID is enabled, your end users are prompted to configure Touch ID for their device during enrollment or authentication challenge. The device UI displays instructions to guide users through this configuration process, as described in the end-user documentation. See Authenticate with Okta Verify on Android devices or Authenticate with Okta Verify on iOS devices.

Note: Enabling Touch ID will not affect end users that authenticate with non-Touch ID devices.

End-users previously enrolled in Okta Verify with Push

If your end users are already enrolled in Okta Verify with Push, and you simply enable Touch ID for your org, there is very little setup required for your users. The next time they authenticate with Push, the response depends on whether their fingerprint has been captured by the native iOS device.

  • If the end users' fingerprint has not been captured by the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID Required screen on their device.
  • If their fingerprint has been captured and saved on the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID for Okta Verify screen on the device.

Use Hardware Key Storage for Android Devices

This is an Early Access feature. To enable it, please contact Okta Support.

For improved security on Android, enable Use Hardware Key Storage on Android via Okta Verify Settings. Enabling this feature allows the implementation of security protocols using access-controlled, hardware-backed keys based on the Federal Identity, Credential, and Access Management (FICAM) architecture.

Enable FIPS-mode encryption

This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .

The Federal Information Processing Standards (FIPS) is a set of technical requirements that were developed by the United States federal government to establish computer security guidelines for government agencies, corporations, and organizations.

To ensure secure interoperability based on the FIPS standards, Okta Verify for mobile uses FIPS 140-2 validation for all security operations when this option is enabled. Okta also meets FedRAMP FICAM requirements by relying on FIPS validated vendors.

Mobile Device Coverage

  • Apple iOS devices running iOS 7 or higher
  • Android devices running Android 6 or higher
  • Note for Android devices: When this option is enabled, devices are FICAM-compliant only if end users have configured and set a secure pin on their devices.

Enable FIPS-Mode Encryption

  1. In the Okta Admin Console, go to Security > Multifactor. The Factor Types screen appears with Okta Verify as the default selection.
  2. Under Okta Verify > Okta Verify Settings, click Edit.
  3. Select Enable FIPS-Mode Encryption.
  4. Click Save.

Use Okta Verify with Push with RADIUS Agents

To use Okta Verify with Push in conjunction with the Okta RADIUS agent, you must upgrade to version 2.1.5 or later of the agent. For the version history and the current agent version, see Okta RADIUS Server Agent Version History. The previous steps allow for an org-level update. To enable Okta Verify with Push on a per-group level, see Multifactor Policies.

Related topics

Okta Verify for admins

Okta Verify for end users