Configure Okta Verify options

After you add Okta Verify as an authenticator, you configure how users interact with Okta Verify during enrollment, or when they authenticate. You can also enable passwordless authentication with Okta FastPass.

Before you begin

  • If you activate a push notification with number challenge, use the Sign-In Widget 3.3.0 or a later version. If your org calls the Authentication API directly, update your code to handle the number challenge API response. See Response example (waiting for 3-number verification challenge response).
  • If your users are behind a firewall that restricts traffic to or from the internet, they might not receive Okta Verify push notifications. Open ports 5228, 5229 and 5230 on the firewalls to allow connectivity with Google Firebase Cloud Messaging. Configure the firewall to accept outgoing connections to all IP addresses in the IP blocks listed by Google in ASN of 15169.
  • For security reasons, Okta doesn't allow inspection or modification of traffic between Okta Verify and its endpoints. If you use an SSL proxy, exclude your organization's default Okta domains from inspection. Typically Okta domains are *.okta.com or *.oktapreview.com. For a complete list of Okta domains, see Allow access to Okta IP addresses.
  • If you restrict access to Federal Information Processing Standard (FIPS)-compliant devices, Android users must enable a secure PIN on their devices to make them Federal Identity, Credential, and Access Management (FICAM)-compliant. Otherwise, they can't access your org. Some Android hardware isn't certified as FIPS-compliant. Consider the security implications of using hardware keystores against the need for FIPS compliance.

Start this task

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, go to Okta Verify and click Actions Edit.
  3. Configure the settings and save your configuration.

Settings

Settings Values
Enrollment options Configure the security of Okta Verify enrollments:

  • Higher security methods: If you select this option, users can enroll only with the following methods:

    • Same device: Users start and complete the Okta Verify enrollment within the app by providing the organization’s sign-in URL.

    • Device-to-device bootstrap: Users can add an existing Okta Verify account to another mobile or desktop device by using Bluetooth.

  • Any method: If you select this option, users can enroll with any of the following security methods:

    • QR code in browser: Users scan a QR code in the browser to enroll Okta Verify on a mobile device.

    • SMS or email link: Users enroll in Okta Verify on mobile devices by clicking a link sent to them through SMS or email.

    • Same device: Users start and complete their Okta Verify enrollment within the app by providing the organization’s sign-in URL.

    • Device-to-device bootstrap: Users can add an existing Okta Verify account to another mobile or desktop device by using Bluetooth.
Verification options Choose what authentication methods end users are prompted with when they authenticate. Regardless of which verification options you select, users are enrolled automatically in all of them. They appear in the Okta Verify Account Details page as Authentication Code, Push Notification, and Okta FastPass.

  • TOTP (on by default) (Android and iOS only): Users authenticate by entering a six-digit code generated by Okta Verify.

  • Push notification (Android and iOS only): Users authenticate by tapping a notification pushed to their mobile device.

  • Okta FastPass (All platforms): Enable Okta FastPass. Users authenticate by tapping or clicking Use Okta FastPass. See Enable Okta FastPass.
Okta FastPass This section appears if you select Okta FastPass (All platforms).

Show the "Sign in with Okta FastPass" button: Select this checkbox to display the Sign in with Okta FastPass button on the Sign-In Widget. This checkbox isn't selected by default. If you don't select this option, users aren't prompted for this sign-in method even if you enabled Okta FastPass. Leave this setting cleared if you want to deploy Okta FastPass to your users gradually.
User verification Define how users enroll in Okta Verify or Okta FastPass. User verification can vary by device model and operating system. To understand how your configuration impacts the user experience, see Okta Verify user verification settings.

  • Preferred: Users can enable device passcode or biometric confirmation during enrollment or later. They can enroll devices that don't support biometrics.

  • Required: New users are prompted to set up device passcode or biometrics when they enroll in Okta Verify. If the device doesn't support biometrics, users can enable device passcode instead. Already enrolled users who skipped this step are prompted to enable device passcode or biometrics the next time they attempt to sign in with Okta Verify on the enrolled device.

    During authentication with Okta FastPass, users have the option to confirm their identity with biometrics or device passcode.

  • Required with biometrics only: New users are prompted to set up biometrics when they enroll in Okta Verify. If the device doesn't support biometrics, users can't enroll in or authenticate with Okta Verify. Already enrolled users who skipped this step are prompted to enable biometrics the next time they attempt to sign in with Okta Verify on the enrolled device.
Push notification (number challenge) Choose whether to include a number challenge with an Okta Verify push notification. The number challenge verifies that a sign-in attempt to an app protected by Okta came from the intended user and not from an unauthorized person. It presents a number in the Sign-In Widget and pushes a notification to Okta Verify on the user's mobile device. The user selects the number that matches what they see in the Sign-In Widget. If the selection is correct, the user can access the protected app. The number challenge helps prevent phishing by ensuring that the user possesses both Okta Verify and the device initiating the sign-in attempt. See the end-user documentation: Sign in with an Okta Verify push notification (iOS) or Sign in with an Okta Verify push notification (Android).

  • Never: Users never receive a number challenge regardless of the risk level of the authentication attempt.

  • Only for high risk sign-in attempts: Users receive a number challenge only if the sign-in attempt is assessed to be a risk. You must configure sign-on policy rules. See About risk scoring.

  • All push challenges: Users receive a number challenge with all Okta Verify push notifications regardless of risk level.

FIPS Compliance Restrict Okta Verify enrollment to FIPS-compliant Android or iOS devices. When this option is enabled, Okta Verify uses FIPS 140-2 validation for all security operations. Okta also meets FedRAMP FICAM requirements by relying on FIPS-validated vendors.

  • FIPS compliant devices only: Users may only enroll a FIPS-compliant device in Okta Verify.

  • Any device: Users may enroll any device in Okta Verify.

About risk scoring

You can combine number challenges with Okta Risk Scoring to increase the security of sign-ins to your Okta org. Okta assesses risk based on multiple criteria, including details about the device and its location. When enabled, Risk Scoring assigns a risk level to each Okta sign-in, and admins can configure a sign-on policy rule to take different actions based on the risk level of the sign-in, such as prompting for multifactor authentication if the sign-in is considered high-risk. See Risk Scoring for instructions.

Known limitations

  • Authentication with biometrics isn't supported on Apple Watch.
  • For Android devices, only biometric methods classified by Google as Class 3-Strong (facial and fingerprint recognition) are supported.
  • Biometrics isn't supported on Android 12 if Okta Verify is installed on the work profile. End users receive a Keystore not initialized error and they can't enable biometrics. To unblock affected users, set User verification to Preferred, and then advise end users to skip the biometrics enablement step.
  • Push notification: Number challenge isn't supported in LDAPi and RADIUS environments. The three-number challenge appears in the Okta Verify app but the matching number doesn't appear in the end user's desktop browser. In this case, configure an MFA authenticator other than Okta Verify.

  • Okta Verify authentication doesn't function properly if HTTP Strict Transport Security (HSTS) is enabled for loopback. Users that develop, host, or debug websites locally often enable this option. If your organization doesn’t require HSTS for security reasons, advise your users to remove the Okta URL from the list of domains that require HSTS. Consult your browsers' documentation for instructions and share them with your users.

Next steps

Continue with the procedure in Enroll Okta Verify in an authentication enrollment policy.

Related topics

Configure the Okta Verify authenticator

Create an authenticator enrollment policy

Configure an authenticator enrollment policy rule