Configure Okta Verify

You can enable the Okta Verify factor at the org level or at group level by using multifactor policies.

Enable Okta Verify at org level

  1. Sign in to the Admin Console.
  2. Go to Security > Multifactor. Okta Verify is selected by default.
  3. Set the status to Active.
  4. Screen capture of the Okta Verify page in the Admin Console

  5. Under Okta Verify Settings, select any features you want to enable. Note that the feature list varies based on the settings that are available for your org.
  6. Click Save to proceed with your settings.

Enable Push Authentication

With Push notifications, users verify their identity with a single tap on their mobile device without the need to type a code. Users access their apps easily while retaining the same higher level of security. This feature is available for iPhone, Android, and Windows devices.

For more information about using Okta Verify Multifactor Authentication (MFA), see Multifactor Authentication.

After you enable Okta Verify with Push Authentication for your org (see Upgrade to Okta Verify with Push ) and set the appropriate policy, your end users are prompted to configure it for their account the next time they sign in to Okta. The device UI guides users through the configuration process. For details about the end user experience after enablement, see Okta Verify (Documentation for end users).

Note: If you need to rename your existing Okta subdomain for any reason, security dictates that your active end-user Okta Verify enrollments be reset. For more details on renaming subdomains, see Renaming Your Okta Subdomain.

Upgrade to Okta Verify with Push

If you want to prompt your users to upgrade to a version of Okta Verify that supports Push Authentication, first enable that functionality. After enabling Push Authentication, the next time users use Okta Verify, a Please update your profile message displays. Users can upgrade immediately by pushing the button, or continue without upgrading by clicking Remind me later. If they chose to be reminded, a prompt is shown again the next time they sign in.

Enable risk-based authentication for Okta Verify with Push

Okta Verify relies on Risk Scoring to assess the risk level of end-user authentications. Okta assesses risk based on a number of factors, including details about the device and its location. If Okta assesses an authentication attempt to be high risk, end users are presented a Review button in Okta Verify allowing them to review details about the authentication attempt. End users can then tap either Yes, It's Me to access their Okta account after satisfying a simple verification challenge or No, It's Not Me to deny the authentication attempt. For details about the end user experience, see Review and approve unusual sign-in attempts.

 

Note

Note

This feature is not supported in LDAPi environments. The 3-number challenge appears in the Okta Verify app but the matching number does not appear in end users' desktop browser. In this case, configure an MFA factor other than Okta Verify.

  1. Ensure end users are running Okta Verify 4.4.0+ for iOS or Okta Verify 5.0.0+ for Android.
  2. Ensure Push Authentication is enabled for your org.
  3. In the Okta Admin Console, go to Settings > Features and enable Risk-based Authentication.
  4. Contact Okta Support and ask them to enable Risk-based Authentication for Okta Verify with Push for your org.
Important Note

Important

Review button functionality is not supported on Apple Watches. If the Review button appears on an Apple Watch when Okta detects an unusual sign-in attempt to an end user account, note that the options Yes, It's Me and No, It's Not Me do not appear after the user taps Review. To accept or reject the sign-in attempt, users must use Okta Verify on their mobile phone.

Enable Apple Touch ID

Apple Touch ID uses biometric technology to guard against unauthorized use of Okta Verify. You can configure an end-user fingerprint request, which appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently only available for iOS devices.

  1. In the Okta Admin Console, go to Security > Multifactor. Okta Verify is selected by default.

  2. Under Okta Verify Settings, click Edit.

  3. Select Require Touch ID for Okta Verify.

  4. Click Save.

When Touch ID is enabled, your end users are prompted to configure Touch ID for their device during enrollment or authentication challenge. The device UI displays instructions to guide users through this configuration process, as described in Authenticate with Okta Verify (Documentation for end users).

Note: Enabling Touch ID will not affect end users that authenticate with non-Touch ID devices.

End-users previously enrolled in Okta Verify with Push

If your end users are already enrolled in Okta Verify with Push, and you simply enable Touch ID for your org, there is very little setup required for your users. The next time they authenticate with Push, the response depends on whether their fingerprint has been captured by the native iOS device.

  • If the end users' fingerprint has not been captured by the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID Required screen on their device.
  • If their fingerprint has been captured and saved on the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID for Okta Verify screen on the device.

Use Hardware Key Storage for Android Devices (Early Access)

This is an Early Access feature. To enable it, please contact Okta Support.

For improved security on Android, enable Use Hardware Key Storage on Android via Okta Verify Settings. Enabling this feature allows the implementation of security protocols using access-controlled, hardware-backed keys based on the Federal Identity, Credential, and Access Management (FICAM) architecture.

Enable FIPS-mode encryption (Early Access)

This is an Early Access feature. To enable it, please contact Okta Support.

The Federal Information Processing Standards (FIPS) is a set of technical requirements that were developed by the United States federal government to establish computer security guidelines for government agencies, corporations, and organizations.

To ensure secure interoperability based on the FIPS standards, Okta Verify for mobile uses FIPS 140-2 validation for all security operations when enabled in the admin dashboard. We also satisfy FedRAMP FICAM requirements by relying on FIPS validated vendors.

Mobile Device Coverage

  • Apple iOS mobile devices running iOS 7 and higher
  • Android mobile devices running Android 6 and higher
  • Note for Android devices: Once this feature is enabled, devices are FICAM-compliant only if end users have configured and set a secure pin on their devices.

Enable FIPS-Mode Encryption

  1. In the Okta Admin Console, go to Security > Multifactor. The Factor Types screen appears with Okta Verify as the default selection.
  2. Under Okta Verify > Okta Verify Settings, click Edit.
  3. Select Enable FIPS-Mode Encryption.
  4. Click Save.

Use Okta Verify with Push with RADIUS Agents

To use Okta Verify with Push in conjunction with the Okta RADIUS agent, you must upgrade to version 2.1.5 or later of the agent. For the version history and the current agent version, see Okta RADIUS Server Agent Version History. The previous steps allow for an org-level update. To enable Okta Verify with Push on a per-group level, see Multifactor Policies.

Related topics

Okta Verify for admins

Okta Verify for end users