MFA for On-Prem, including RSA SecurIDS

The Okta On-Prem MFA agent (formerly named the RSA SecurID agent) acts as a RADIUS client and communicates with your RADIUS enabled on-prem MFA server, including RSA Authentication manager for RSA SecurIDs. This allows your organization to leverage second factor challenges from a variety of on-premises multifactor authentication tools.

Note: If you are currently using theRSA SecurID agent (v. 1.1.0 or below) you should upgrade to the latest version of the On-Prem MFA agent at your earliest convenience. For the latest version and version history, see Okta On-Prem MFA Agent Version History.


Before you begin

Before setting up the On-Prem MFA agent within Okta, set up the RADIUS server settings for your secure OAuth vendor.

Supported OS

The Okta On-Prem MFA agent can be installed on the following:

  • Windows Server 2008 R2
  • Windows Server 2008 R2 Core – If you are using this version for your installation, please take special note of step 6 under Installing the Agent.
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Typical workflow



Download the agent
  • Download the Okta On-Prem MFA Agent from the Settings > Downloads page your in Okta org. The agent is found in the MFA Plugins and Agents section.
Enabling the Agent
  • Enable the appropriate On-Prem MFA or RSA SecurID agent.
Disabling SSL Pinning
  • For agents on a network containing a web security appliance, it might be necessary to disable SSL pining.
Install On-Prem MFA agent
  • On-Prem MFA supports installing the agent supporting proxy or non-proxy agent install.  Determine which is appropriate and then follow the instructions to install the agent.
Configuring High Availability
  • On-Prem MFA supports high availability by installing second and subsequent instances of the agent on additional Windows hosts.

Additional considerations