MFA for Admins

Multifactor authentication reduces the risk of admin account compromise if credentials are obtained maliciously by a third party. Super admins can enable mandatory multifactor authentication for all administrators signing in to Okta Administration.

 

HealthInsight: Why is this task recommended?


This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Enable MFA for Admins to reduce the risk of admin account compromise if credentials are obtained maliciously by a third party.

Security impact: Critical

End-user impact: None

Okta recommends: Require MFA for Admins

 

After this feature is enabled:

  • Admins will be prompted for multifactor authentication during sign-in or when they access Okta Administration. If an org's sign-on policy already requires multifactor authentication, the admin won't be prompted a second time.

  • Admins who have not yet enrolled into an MFA factor will be prompted to enroll for the first time.
  • At least one factor should be turned on for your organization to enable this setting. If the org does not have any MFA factors enabled, Okta Verify with one time passwords (OTP) will be enabled as the default factor. If factors have already been configured, then no changes will be made.
  • MFA for admins can only be set to enabled or disabled. It cannot be configured like other MFA policies.

 

Procedure


To enable MFA for Admins:

  1. From the admin console, navigate to Security > General.
  2. Scroll to Multifactor for Administrators.
  3. Click Edit.
  4. Select Require Multifactor for Administrators signing in to Okta Administration.
  5. Click Save.

 

Related topics