About Multifactor Authentication (MFA)

Multifactor Authentication (MFA) is an added layer of security used to verify an end user's identity when they sign in to an application.

An Okta admin can configure MFA at the organization or application level. If both levels are enabled, end users are prompted to confirm their credentials with factors both when signing in to Okta and when accessing an application.

To learn more about admin role permissions and MFA, see Administrators.

MFA factor type comparison

Factor Type Security Deployability Usability

Phishing

Resistance

Real-Time

MITM Resistance

Passwords Weak Strong Strong Weak Weak
Security Questions Weak Strong Moderate Weak Weak
SMS / Voice / Email Moderate Strong Strong Moderate Weak
Software OTP Moderate Strong Moderate Moderate Weak
Physical OTP Moderate Weak Weak Moderate Weak
Push Verification Strong Strong Strong Strong Moderate
YubiKey OTP Strong Strong Strong Moderate Weak
U2F and WebAuthn Strong Moderate Strong Strong Strong
Windows Hello Strong Weak Strong Strong Strong

Note about phishing resistance

Push verification such as Okta Verify Push is more effective than OTP against traditional phishing. However, for stronger resistance, use FIDO-based factors such as U2F, Windows Hello, or WebAuthn.

Note about YubiKeys

YubiKeys can be deployed in OTP mode and/or as a U2F or WebAuthn factor based on FIDO1 and FIDO2 standards.

Enable MFA factor types

  1. In the Admin Console, go to Security > Multifactor > Factor Types.
  2. For each factor type, select Active or Inactive to change its status. This setting determines whether the factor type can be enabled for end users, depending on MFA factor enrollment policies.
  3. For each factor type, configure the available options displayed based on your security requirements.

Softlock

Softlock can be configured for password policies and can also be used for delegated authentication:

  • MFA autounlock can only be enabled and defined in a password policy.

  • The unlock period can only be set to 60 minutes and can't be a custom duration.

  • If autounlock is not enabled in the password policy, it won't be enforced at all.

  • Active Directory (AD) and LDAP-backed users are allowed five failed attempts to enter their MFA code, after which the Okta account will be locked.

  • The number of unsuccessful attempts before locking cannot be changed and is fixed at five.

  • This lockout counter is factor-specific; any attempts on one factor will not affect the lockout counter for another factor.

  • AD-backed users can take advantage of the Okta Self Service feature to unlock their account, however, LDAP-backed users must contact their administrators to unlock their Okta account.

Third-Party MFA Providers with Okta

Okta's native Multifactor Authentication (MFA) method, Okta Verify, balances ease of use with security. However, sometimes circumstances dictate your choices. Feedback from hundreds of Okta customers currently using Okta for MFA, exposed a number of scenarios where a third-party MFA provider was needed. Some customers had a pre-existing investment in a legacy MFA provider and were wary of the cost and effort in changing their user experience. Others required the high-level assurance that hardware tokens can deliver for a subset of privileged users. Still others were in a state of transition—eager to adopt Okta Verify, but reluctant to migrate from their old provider too abruptly.

While authentication methods do matter, they are only a part of the story with Okta. Our flexible policy framework, catalog of thousands of app integrations, and contextual access control allow our customers to broadly deploy MFA across their organizations. You are not restricted to Okta Verify—various third-party authentication methods are compatible and seamless with the Okta identity platform. Okta can even support multiple factors simultaneously, allowing organizations to migrate between factors or support heterogeneous user environments.

This is why Okta expertly supports several third-party MFA providers. Click to view a table listing supported providers and details about their integration.

Vendor Integration Type Note Supported Authentication Methods Documentation
RSA On-Prem MFA agent This type of integration relies on the Okta agent to facilitate communication between the Okta service and an On-Prem RADIUS server. OATH-OTP Configuring the On-Prem MFA Agent (including RSA SecurID)
Entrust
Symantec Native These integrations are built upon the providers’ APIs or WebSDKs. They vary in feature support because not all features are similarly accessible. OTP Configuring Multifactor Authentication
Duo Security Native   OTP, Push, Voice Configuring Duo Security
Google Authenticator Native   OTP Configuring the Okta RADIUS Agent
YubiKey Native   OTP, Push OTP Using YubiKey Authentication in Okta

MFA with Windows Remote Desktop (RDP)

The Okta Windows Credential Provider prompts users for MFA when signing in to supported Windows servers with an RDP client. To use it, you must configure an agent on the Windows server. For instructions, see Okta Windows Credential Provider.

Info

Note

After clicking the Privacy Policy link, users cannot return to the factor screen. Users must close the remote desktop session and reopen it to continue.