Configure Okta Verify options

After you add Okta Verify as an authenticator, you configure the options that control how end users interact with Okta Verify when they authenticate. You can also enable Okta FastPass.

Before you begin

  • If you activate Push notification: Number challenge, ensure that users can see the number challenge instructions:
  • If your end users are behind a firewall that restricts traffic to or from the internet, they may be unable to receive the Okta Verify push notifications. To allow your users to receive the Okta Verify push notifications, open ports 5228, 5229 and 5230 on the firewalls to allow connectivity with Google Firebase Cloud Messaging. Allow the firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.
  • If you restrict access to FIPS-compliant devices:
    • Android users must configure and set a secure PIN on their devices to make them FICAM-compliant and able to access your org.
    • There may be a trade-off in security between FIPS compliance and using hardware keystores on Android devices, since some Android OEMs’ hardware have not been certified as FIPS-compliant.

Start this task

  1. In the Admin Console, go to Security > Authenticators.
  2. In the Setup tab, go to Okta Verify and click Actions > Edit.
  3. In the Verification options section, choose the authentication methods that appear to end users when they authenticate.
    TOTP (on by default) (Android and iOS only)Users verify their identity by entering a six-digit code generated by Okta Verify when they're attempting to authenticate.
    Push notification (Android and iOS only)Users verify their identity by tapping a notification pushed to their mobile device when they're attempting to authenticate.

    Okta FastPass (All platforms)

    Select this option to enable Okta FastPass on all platforms. Users verify their identity by tapping or clicking the Use Okta Verify on this device button that appears when they’re attempting to access an app. See Configure Okta FastPass

    Regardless of which verification options you select, end users are still enrolled automatically in all of them. They appear in the Account Details page of the app as Authentication Code, Push Notification, and This Device.

    Enrolling end users in all the methods automatically but letting you control which methods are shown to them when authenticating is intended to simplify the end-user experience in case you add or remove some methods later.

  1. If you select the Okta FastPass (All platforms) option, the Okta FastPass section appears.

    Show the "Sign in with Okta FastPass" button

    Select this checkbox to display the Sign in with Okta FastPass button on the Sign-In Widget.

    The screenshot shows how the Sign-In Widget appears to users when the Show the "Sign in using Okta Verify on this device" button checkbox is selected.

    By default, this checkbox isn't selected. End users won't be aware that this sign-in method is available to them, even though Okta FastPass is enabled. Consider leaving this checkbox clear if you want to deploy Okta FastPass to your users gradually.

  1. From the User verification list, select an option to determine whether biometrics (fingerprint or face scanning) is preferred or required when users enroll in or authenticate with Okta Verify.

    Preferred

    Users can enable biometrics during enrollment or at a later time. Users can enroll devices that don't support biometric functionality.

    Required

    This setting only applies to Okta Verify Push. Users must enable biometrics during enrollment. Users can't sign in or enroll devices in Okta Verify that don't support biometric functionality.

  1. In the Push notification: number challenge section, select an option to choose whether to include a number challenge with an Okta Verify Push challenge.

    Number challenge is a technique for verifying that a sign-in attempt to a protected app came from the intended user and not from an unauthorized person. It works by presenting a number in the sign-in instructions and pushing a notification to Okta Verify on the user's mobile device. The user selects the number in Okta Verify on their mobile device that matches what they see in the sign-in instructions, and they are allowed to access the protected app.

    Number challenge helps prevent phishing by ensuring that the user possesses both Okta Verify and the device initiating the sign-in attempt.

    Never

    Users are never presented a number challenge regardless of the risk level of the authentication attempt.

    Only for high risk sign-in attempts

    Using Okta's Risk Scoring functionality, you can configure this option to present users with a number challenge only if the sign-in attempt is assessed to be high risk, for example. Admins must configure settings for sign-on policy rules; see About Risk Scoring below.

    All push challenges

    Users are presented a number challenge with all Okta Verify push challenges regardless of risk level.

    If you select the All push challenges option, Okta Verify for Android version 6.1.1 crashes for users created in Okta Identity Engine. Advise these users to update to the latest version of Okta Verify.

  1. In the FIPS Compliance section, choose whether to permit any, or only FIPS-compliant Android or iOS devices, to enroll in Okta Verify.

    The Federal Information Processing Standards (FIPS) are a set of technical requirements developed by the United States federal government to establish computer security guidelines for government agencies, corporations, and organizations.

    To ensure secure interoperability with FIPS standards, Okta Verify uses FIPS 140-2 validation for all security operations when this option is enabled. Okta also meets FedRAMP FICAM requirements by relying on FIPS-validated vendors.

    FIPS compliant devices only

    Users may only enroll a FIPS-compliant device in Okta Verify.

    Any device

    Users may enroll any device in Okta Verify.

  1. Click Save.

User experience

The Sign in with Okta FastPass button

When users click Sign in with Okta FastPass, they'll be prompted to open Okta Verify:

The screenshot shows how the Sign-In Widget appears after a user clicks the "Sign in using Okta Verify on this device" button.

Push notification: Number challenge

If you select the Only for high risk sign-in attempts or All push challenges option:

  1. When accessing a protected resource, an Android or iOS user enrolled in Okta Verify with Push clicks the Get a push notification option in the sign-in instructions.
  2. A number appears in the sign-in instructions.
  3. On the mobile device, a notification with a Review option appears in Okta Verify. The user validates the sign-in attempt by tapping Review and then tapping the number on the device that matches the number shown in the sign-in instructions. Verification succeeds only if the numbers match. This ensures that the sign-in attempt was initiated by the user and not an unauthorized person. Details about where the sign-in attempt originated are provided below the number choices. Optionally, the user can tap Cancel the sign-in attempt to deny the sign-in attempt.

See the end-user documentation: Sign in with an Okta Verify push notification (iOS) or Sign in with an Okta Verify push notification (Android).

About Risk Scoring

You can combine the number challenge functionality described above with Okta's Risk Scoring capability to increase the level of security protecting sign-ins to your Okta org. Okta assesses risk based on a number of criteria, including details about the device and its location. When enabled, Risk Scoring assigns a risk level to each Okta sign-in, and admins can configure a sign-on policy rule to take different actions based on the risk level of the sign-in, such as prompting for multifactor authentication if the sign-in is considered high-risk. See Risk Scoring for instructions.

Known limitations

  • Okta FastPass and Push notifications aren't available for iPod Touch devices.
  • Authentication with biometrics isn't supported on Apple Watch.
  • For Android devices, only biometric methods classified by Google as Class 3-Strong (facial and fingerprint recognition) are supported.
  • Biometrics isn't supported on Android 12 if Okta Verify is installed on the work profile. End users receive a Keystore not initialized error and they can't enable biometrics. To unblock affected users, set User verification to Preferred, and then advise end users to skip the biometrics enablement step.
  • Push notification: Number challenge isn't supported in LDAPi and RADIUS environments. The three-number challenge appears in the Okta Verify app but the matching number doesn't appear in the end user's desktop browser. In this case, configure an MFA authenticator other than Okta Verify.
  • Multiple user profiles aren't supported on a single macOS or Windows device if you select Okta FastPass as a verification option.

Next steps

Continue with the procedure in Enroll Okta Verify in a multifactor policy.

Related topics

Configure the Okta Verify authenticator

Create an authentication enrollment policy

Configure an authentication enrollment policy rule