About MFA authenticators

Authenticators provide different levels of assurance depending on their factor type:

  • Possession: This is something that the user has in their possession, such as a phone, or access to an email account.

  • Knowledge: This is something that the user knows, such as a password, or the answer to a security question.

  • Biometric: This is something that the user is, and is represented by a physical attribute of the user that can be scanned by a device, such as a fingerprint reader or facial scanner, to determine that the person attempting to authenticate is the same person who originally set up this type of authentication.

To provide higher levels of assurance, select combinations of authenticators that cover different factor types, such as this combination:

  • Select Password or Security Question to ask the user for something they know

  • Select Google Authenticator to prove that a user is in possession of the device they’re authenticating with, and that it really is that user’s device

  • Select Okta Verify with biometrics enabled to verify the physical person attempting to authenticate

Authenticators also have methods. For example, some authenticators are bound to a specific device, while others are used to demonstrate the physical presence of the user (instead of a bot, for example). Here’s a table that describes the characteristics of methods:

Method Characteristic Description Examples
Device-Bound The device key or secret is stored on the device and can’t be transferred to another device without re-enrolling All possession authenticators except for Email and Phone
Hardware-Protected An authenticator that provides hardware protection of secrets or private keys. The device key is stored on a separate device, in the Trusted Platform Module (TPM), in a secure enclave, or on a separate hardware token, such as RSA SecureID. Hardware protection isn't provided by all types of devices. Okta Verify proof-of-possession key
Phishing-Resistant An authenticator that cryptographically verifies the login server WebAuthn
User Presence The user proves they have control of the authenticator by actively authenticating (interacting with the authenticator, such as touching a YubiKey or entering a one-time password) and demonstrates their physical presence Every method except an Okta Verify verification signed by a proof-of-possession key

To achieve the highest levels of assurance, activate authenticators across a variety of factor types and methods.

When you add an authenticator to your list of authenticators, you must also configure it so it will work the way you want in your environment. Each authenticator has unique configuration requirements, and some authenticators are used for specific purposes.

For example, you can configure the Email, Phone, and Security Question authenticators to be used only for authentication (multifactor authentication or single sign-on), only for password recovery, or for both. When an authenticator is disabled for multifactor authentication or single sign-on, it's never requested during sign-on policy evaluation.