Multifactor authentication

Multifactor authentication (MFA) means that users must verify their identity in two or more ways to gain access to their account. This makes it harder for unauthorized parties to sign in to a user's account. It's unlikely that they have access to all authentication methods.

Adding authenticators with different factor types and method characteristics strengthens your MFA strategy. You can require authenticators for apps or groups of users and specify which ones can be used for account recovery.

Factor type	Method characteristic	Authenticator
Possession	User presence	Email, Phone, IdP
	User presence, Device-bound	Custom OTP, Duo Security, Google Authenticator, Symantec VIP
	User presence, Device-bound, Hardware-protected	YubiKey OTP
	User presence, Device-bound, Phishing-resistant	Smart Card IdP
	User presence, Device-bound, Phishing-resistant, Hardware-protected	Smart Card IdP (with Hardware option)
Possession + Biometric	User presence, Device-bound, Hardware-protected	Okta Verify, Custom Authenticator
	User presence, Device-bound, Phishing-resistant	FIDO2 (WebAuthn)
Possession + Knowledge	User presence, Device-bound, Phishing-resistant, User verifying	Smart Card IdP (with PIN option)
	User presence, Device-bound, Phishing-resistant, User verifying, Hardware-protected	Smart Card IdP (with PIN and Hardware options)
Knowledge	User presence	Password, Security Question

Factor types

Okta authenticators can be categorized into three factor types:

• Possession: This is something that the user has, such as a phone or an email account.
• Knowledge: This is something that the user knows, such as a password or the answer to a Security Question.
• Biometric: This is something that the user is. It represents a physical attribute of the user that a device can scan, such as the user's fingerprint or face.

Method characteristics

Factors can be categorized into several method characteristics:

• Device-bound: These authenticators are associated with a specific device.
• Hardware-protected: These authenticators require a physical device to authenticate.
• Phishing-resistant: These authenticators don't provide any authentication data that a user can share with others. Users therefore can't be tricked into sharing their credentials in phishing campaigns. See Phishing-resistant authentication and Okta solutions for phishing resistance.
• User presence: These authenticators require human interaction.
• User verifying: These authenticators prove that a specific user is the one who is authenticating.

Authenticators

To use an authenticator, you add it from SecurityAuthenticators, configure it, and then add it to an enrollment policy. See any of the following authenticator topics for instructions.

• Custom Authenticator

• Custom OTP

• Duo Security

• Email

• FIDO2 (WebAuthn)

• Google Authenticator

• IdP

• Okta Verify (TOTP and Push)

• Okta FastPass

• Password

• Phone

• Security Question

• Smart Card IdP

• Symantec VIP

• YubiKey OTP

Reset authenticators

You can reset the authenticators for your users. After reset, users have to set up their authenticators again. See Reset multifactor authentication for users.