About Multifactor Authentication (MFA)
Multifactor Authentication (MFA) is an added layer of security used to verify an end user's identity when they sign in to an application.
An Okta admin can configure MFA at the organization or application level. If both levels are enabled, end users are prompted to confirm their credentials with factors both when signing in to Okta and when accessing an application.
To learn more about admin role permissions and MFA, see Administrators.
|SMS / Voice / Email||Moderate||Strong||Strong||Moderate||Weak|
|U2F and WebAuthn||Strong||Moderate||Strong||Strong||Strong|
Note about phishing resistance
Push verification such as Okta Verify Push is more effective than OTP against traditional phishing. However, for stronger resistance, use FIDO-based factors such as U2F, Windows Hello, or WebAuthn.
Note about YubiKeys
YubiKeys can be deployed in OTP mode and/or as a U2F or WebAuthn factor based on FIDO1 and FIDO2 standards.
Enable MFA factor types
- In the Admin Console, go to Security > Multifactor > Factor Types.
- For each factor type, select Active or Inactive to change its status. This setting determines whether the factor type can be enabled for end users, depending on MFA factor enrollment policies.
- For each factor type, configure the available options displayed based on your security requirements.
Softlock can be configured for password policies and can also be used for delegated authentication:
- MFA autounlock can only be enabled and defined in a password policy.
- The unlock period can only be set to 60 minutes and can't be a custom duration.
- If autounlock is not enabled in the password policy, it won't be enforced at all.
- Active Directory (AD) and LDAP-backed users are allowed five failed attempts to enter their MFA code, after which the Okta account will be locked.
- The number of unsuccessful attempts before locking cannot be changed and is fixed at five.
- This lockout counter is factor-specific; any attempts on one factor will not affect the lockout counter for another factor.
- AD-backed users can take advantage of the Okta Self Service feature to unlock their account, however, LDAP-backed users must contact their administrators to unlock their Okta account.
Third-Party MFA Providers with Okta
Okta's native Multifactor Authentication (MFA) method, Okta Verify, balances ease of use with security. However, sometimes circumstances dictate your choices. Feedback from hundreds of Okta customers currently using Okta for MFA, exposed a number of scenarios where a third-party MFA provider was needed. Some customers had a pre-existing investment in a legacy MFA provider and were wary of the cost and effort in changing their user experience. Others required the high-level assurance that hardware tokens can deliver for a subset of privileged users. Still others were in a state of transition—eager to adopt Okta Verify, but reluctant to migrate from their old provider too abruptly.
While authentication methods do matter, they are only a part of the story with Okta. Our flexible policy framework, catalog of thousands of app integrations, and contextual access control allow our customers to broadly deploy MFA across their organizations. You are not restricted to Okta Verify—various third-party authentication methods are compatible and seamless with the Okta identity platform. Okta can even support multiple factors simultaneously, allowing organizations to migrate between factors or support heterogeneous user environments.
This is why Okta expertly supports several third-party MFA providers. Click to view a table listing supported providers and details about their integration.
|Vendor||Integration Type||Note||Supported Authentication Methods||Documentation|
|RSA||On-Prem MFA agent||This type of integration relies on the Okta agent to facilitate communication between the Okta service and an On-Prem RADIUS server.||OATH-OTP||Configuring the On-Prem MFA Agent (including RSA SecurID)|
|Symantec||Native||These integrations are built upon the providers’ APIs or WebSDKs. They vary in feature support because not all features are similarly accessible.||OTP||Configuring Multifactor Authentication|
|Duo Security||Native||OTP, Push, Voice||Configuring Duo Security|
|Google Authenticator||Native||OTP||Configuring the Okta RADIUS Agent|
|YubiKey||Native||OTP, Push OTP||Using YubiKey Authentication in Okta|
MFA with Windows Remote Desktop (RDP)
The Okta Windows Credential Provider prompts users for MFA when signing in to supported Windows servers with an RDP client. To use it, you must configure an agent on the Windows server. For instructions, see Okta Windows Credential Provider.