Multifactor Authentication

Multifactor authentication means that users must verify their identity in two or more ways to gain access to their account. They can be things such as passwords, answers to security questions, phones (SMS or voice call), and authentication apps, such as Okta Verify. In Okta, these ways for users to verify their identity are called authenticators.

Okta supports a wide variety of authenticators, which allows you to customize the use of authenticators according to the unique MFA requirements of your enterprise environment. You can also customize MFA enrollment policies, which control how users enroll themselves in an authenticator, and authentication policies and Global Session Policies, which determine which authentication challenges end users will encounter when they sign in to their account. For example, you can allow or block sign-ins based on the user's location, the groups they're assigned to, the authenticator they're using, and more, and specify which actions to take, such as allowing access or presenting additional challenges.

Steps to set up an authenticator

The following steps describe the workflow to set up most of the authenticators that Okta supports. See the topics for each authenticator you want to use for specific instructions.

  1. Enable the authenticator. Instructions are provided in each authenticator topic.
  2. Configure the authenticator. Each authenticator has its own settings.
  3. Add the authenticator to the MFA Enrollment policy and customize.

See About MFA authenticators to learn more about authenticators and how to configure them.

List of supported authenticators

Authenticator Factor type Method characteristics Description

Okta Verify

Possession

Possession + Biometric*

Hardware protected

Device bound

User presence

Okta Verify is an authenticator app used to confirm a user's identity when they sign in to Okta or protected resources.

Note:Okta Verify for macOS and Windows is supported only on Identity Engine orgs.

Custom OTP

Possession

Device bound

User presence

You can add Custom OTP authenticators that allow users to confirm their identity when they sign in to Okta or protected resources. After you configure a Custom OTP and associated policies in Okta, end users are prompted to set it up by entering a code that you provide.

Duo Security

Possession

Device bound

User presence

Duo Security is an authenticator app used to confirm a user's identity when they sign in to Okta or protected resources. When integrated with Okta, Duo Security becomes the system of record for multifactor authentication.

Email

Possession

User presence

The Email authenticator allows users to authenticate successfully with a token (referred to as an email magic link) that is sent to their primary email address.

Google Authenticator

Possession

Device bound

User presence

Google Authenticator is an authenticator app used to confirm a user's identity when they sign in to Okta or protected resources. When Google Authenticator is enabled, users who select it to authenticate are prompted to enter a time-based six-digit code generated by the Google Authenticator app.

Password

Knowledge

User presence

The Password authenticator consists of a string of characters that can be specified by users or set by an admin.

Phone

Possession

User presence

The SMS and Voice Call authenticators require the use of a phone. They send a code in a text message or voice call that the user enters when prompted by Okta.

Security Key, Biometric (WebAuthn)

Possession

Possession + Biometric*

Device bound

Phishing resistant

User presence

The Security Key or Biometric authenticator follows the FIDO2 Web Authentication (WebAuthn) standard. The user inserts a security key, such as a Yubikey, touches a fingerprint reader, or their device scans their face to verify them.

Security Question

Knowledge

User presence

The Security Question authenticator consists of a question that requires an answer that was defined by the end user.

Symantec VIP

Possession

Device bound

User presence

Symantec Validation and ID Protection Service (VIP) is a cloud-based authentication service that enables secure access to networks and applications. You can add Symantec VIP as an authenticator option in Okta.

Custom IdP authenticator

Possession

User presence

Custom Identity Provider (IdP) authentication allows admins to enable a custom SAML or OIDC MFA authenticator based on a configured Identity Provider. End users are directed to the Identity Provider in order to authenticate and then redirected to Okta once verification is successful.

* Verification with these authenticators always satisfies at least one possession factor type. Based on the device used to enroll and the method used to verify the authenticator, two factor types could be satisfied. For example, a user who verifies with a security key that requires a PIN will satisfy both possession and knowledge factor types with a single authenticator.