Multifactor authentication
Multifactor authentication (MFA) means that users must verify their identity in two or more ways to gain access to their account. This makes it harder for unauthorized parties to sign in to a user's account. It's unlikely that they have access to all authentication methods.
Adding authenticators with different factor types and method characteristics strengthens your MFA strategy. You can require authenticators for apps or groups of users and specify which ones can be used for account recovery.
|
Factor type |
Method characteristic |
Authenticator |
|---|---|---|
| Possession
|
User presence | Email, Phone, IdP |
| User presence, Device-bound | Custom OTP, Duo Security, Google Authenticator, Symantec VIP | |
| User presence, Device-bound, Hardware-protected | YubiKey OTP | |
| User presence, Device-bound, Phishing-resistant | Smart Card IdP | |
| User presence, Device-bound, Phishing-resistant, Hardware-protected | Smart Card IdP (with Hardware option) | |
| Possession + Biometric | User presence, Device-bound, Hardware-protected | Okta Verify, Custom Authenticator |
| User presence, Device-bound, Phishing-resistant | FIDO2 (WebAuthn) | |
| Possession + Knowledge
|
User presence, Device-bound, Phishing-resistant, User verifying | Smart Card IdP (with PIN option) |
| User presence, Device-bound, Phishing-resistant, User verifying, Hardware-protected | Smart Card IdP (with PIN and Hardware options) | |
| Knowledge | User presence | Password, Security Question |
Factor types
Okta authenticators can be categorized into three factor types:
- Possession: This is something that the user has, such as a phone or an email account.
- Knowledge: This is something that the user knows, such as a password or the answer to a Security Question.
- Biometric: This is something that the user is. It represents a physical attribute of the user that a device can scan, such as the user's fingerprint or face.
Method characteristics
Factors can be categorized into several method characteristics:
- Device-bound: These authenticators are associated with a specific device.
- Hardware-protected: These authenticators require a physical device to authenticate.
- Phishing-resistant: These authenticators don't provide any authentication data that a user can share with others. Users therefore can't be tricked into sharing their credentials in phishing campaigns. See Phishing-resistant authentication and Okta solutions for phishing resistance.
- User presence: These authenticators require human interaction.
- User verifying: These authenticators prove that a specific user is the one who is authenticating.
Authenticators
To use an authenticator, you add it from , configure it, and then add it to an authenticator enrollment policy. See an authenticator topic for instructions.
Reset authenticators
You can reset the authenticators for your users. After reset, users have to set up their authenticators again. See Reset multifactor authentication for end users.