Configure Okta Verify
You can enable the Okta Verify factor at the org level or at group level by using multifactor policies.
- Enable Okta Verify at org level
- Enable Push Authentication
- Enable Number Challenge with Okta Verify with Push
- Enable Apple Touch ID
- Use Hardware Key Storage for Android Devices
- Enable FIPS-mode encryption
- Use Okta Verify with Push with RADIUS Agents
- Sign in to the Admin Console.
- Go to Security > Multifactor. Okta Verify is selected by default.
- Set the status to Active.
- Under Okta Verify Settings, select any features you want to enable. Note that the feature list varies based on the settings that are available for your org.
- Click Save to proceed with your settings.
With Push notifications, users verify their identity with a single tap on their mobile device without the need to type a code. Users access their apps easily while retaining the same higher level of security. This feature is available for iPhone, Android, and Windows devices.
For more information about using Okta Verify Multifactor Authentication (MFA), see Multifactor Authentication.
After you enable Okta Verify with Push Authentication for your org (see Upgrade to Okta Verify with Push) and set the appropriate policy, your end users are prompted to configure it for their account the next time they sign in to Okta. The device UI guides users through the configuration process. For details about the end user experience after enablement, see Okta Verify (Documentation for end users).
Note: If you need to rename your existing Okta subdomain for any reason, security dictates that your active end-user Okta Verify enrollments be reset. For more details on renaming subdomains, see Renaming Your Okta Subdomain.
If you want to prompt your users to upgrade to a version of Okta Verify that supports Push Authentication, first enable that functionality. After enabling Push Authentication, the next time users use Okta Verify, a Please update your profile message appears. Users can upgrade immediately by pushing the button, or continue without upgrading by clicking Remind me later. If they chose to be reminded, a prompt is shown again the next time they sign in.
Push notifications aren't available for iPod Touch devices.
You can enable number challenge to help mobile device users avoid accepting fraudulent push notifications sent by unauthorized people.
Number challenge works with Android, iOS, and Apple Watch users enrolled in Okta Verify with Push.
How it works
If you’ve set the feature to present a number challenge to users:
- An Android or iOS user enrolled in Okta Verify with Push tries to access a protected resource.
- A Review button appears in Okta Verify allowing the user to review details about the sign-in attempt.
- The user can validate the sign-in attempt by tapping Yes, It's Me and then select a number that matches a number shown in the sign-in instructions. Verification succeeds only if the numbers match. This ensures that the sign-in attempt was initiated by the user and not an unauthorized person. Optionally, the user can tap No, It's Not Me to deny the sign-in attempt.
For more about the end user experience, see the end-user documentation: Sign in with an Okta Verify push notification (iOS) or Sign in with an Okta Verify push notification (Android).
Before you begin
- This feature is not supported in LDAPi and RADIUS environments. The 3-number challenge appears in the Okta Verify app but the matching number does not appear in end users' desktop browser. In this case, configure an MFA factor other than Okta Verify.
Ensure users can see the number challenge instructions:
- If your org is using a customized sign-in widget, the widget version must be 3.3.0 or later.
- If your org is calling the Authentication API directly, update your code to handle the number challenge API response. See Response example (waiting for 3-number verification challenge response).
Start this task
In the Admin Console, go to Security > Multifactor.
In the Factor Types, tab click Okta Verify.
In Okta Verify Settings, click Edit.
Make sure Enable Push Notification is selected.
- In the Number challenge section, select an option:
- Never: (Default setting.) Users are never presented a number challenge regardless of the risk level of the authentication attempt.
- Only for high risk sign-in attempts: Users are presented a number challenge only if the sign-in attempt is assessed to be high risk (see Risk scoring). Okta assesses risk based on a number of factors, including details about the device and its location.
- All push challenges: Users are presented a number challenge with all Okta Verify push challenges regardless of risk level.
You can combine the number challenge functionality described above with Okta's Risk Scoring capability to increase the level of security protecting sign-ins to your Okta org. Okta assesses risk based on a number of criteria, including details about the device and its location. When enabled, Risk Scoring assigns a risk level to each Okta sign-in, and admins can configure a sign-on policy rule to take different actions based on the risk level of the sign-in, such as prompting for multifactor authentication if the sign-in is considered high-risk. See Risk Scoring for instructions.
Apple Touch ID uses biometric technology to guard against unauthorized use of Okta Verify. You can configure an end-user fingerprint request, which appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently only available for iOS devices.
In the Okta Admin Console, go to Security > Multifactor. Okta Verify is selected by default.
Under Okta Verify Settings, click Edit.
Select Require Touch ID for Okta Verify.
When Touch ID is enabled, your end users are prompted to configure Touch ID for their device during enrollment or authentication challenge. The device UI displays instructions to guide users through this configuration process, as described in the end-user documentation. See Authenticate with Okta Verify on Android devices or Authenticate with Okta Verify on iOS devices.
Note: Enabling Touch ID will not affect end users that authenticate with non-Touch ID devices.
End-users previously enrolled in Okta Verify with Push
If your end users are already enrolled in Okta Verify with Push, and you simply enable Touch ID for your org, there is very little setup required for your users. The next time they authenticate with Push, the response depends on whether their fingerprint has been captured by the native iOS device.
- If the end users' fingerprint has not been captured by the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID Required screen on their device.
- If their fingerprint has been captured and saved on the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID for Okta Verify screen on the device.
This is an Early Access feature. To enable it, please contact Okta Support.
For improved security on Android, enable Use Hardware Key Storage on Android via Okta Verify Settings. Enabling this feature allows the implementation of security protocols using access-controlled, hardware-backed keys based on the Federal Identity, Credential, and Access Management (FICAM) architecture.
This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features.
The Federal Information Processing Standards (FIPS) is a set of technical requirements that were developed by the United States federal government to establish computer security guidelines for government agencies, corporations, and organizations.
To ensure secure interoperability based on the FIPS standards, Okta Verify for mobile uses FIPS 140-2 validation for all security operations when this option is enabled. Okta also meets FedRAMP FICAM requirements by relying on FIPS validated vendors.
Mobile Device Coverage
- Apple iOS devices running iOS 7 or higher
- Android devices running Android 6 or higher
Note for Android devices: When this option is enabled, devices are FICAM-compliant only if end users have configured and set a secure pin on their devices.
Enable FIPS-Mode Encryption
- In the Okta Admin Console, go to Security > Multifactor. The Factor Types screen appears with Okta Verify as the default selection.
- Under Okta Verify > Okta Verify Settings, click Edit.
- Select Enable FIPS-Mode Encryption.
- Click Save.
To use Okta Verify with Push in conjunction with the Okta RADIUS agent, you must upgrade to version 2.1.5 or later of the agent. For the version history and the current agent version, see Okta RADIUS Server Agent Version History. The previous steps allow for an org-level update. To enable Okta Verify with Push on a per-group level, see Multifactor Policies.