Configure Okta Verify options
After you add Okta Verify as an authenticator, you configure how users interact with Okta Verify during enrollment, or when they authenticate. You can also enable Okta FastPass.
Before you begin
- If you activate a push notification with number challenge, use the Sign-In Widget 3.3.0 or a later version. If your org calls the Authentication API directly, update your code to handle the number challenge API response. See Response example (waiting for 3-number verification challenge response).
- If your users are behind a firewall that restricts traffic to or from the internet, they might not receive Okta Verify push notifications. Open ports 5228, 5229, and 5230 on the firewalls to allow connectivity with Google Firebase Cloud Messaging. Configure the firewall to accept outgoing connections to all IP addresses in the IP blocks listed by Google in ASN of 15169.
- For security reasons, Okta doesn't allow inspection or modification of traffic between Okta Verify and its endpoints. If you use an SSL proxy, exclude your organization's default Okta domains from inspection. Typically Okta domains are *.okta.com or *.oktapreview.com. For a complete list of Okta domains, see Allow access to Okta IP addresses.
- If you restrict access to Federal Information Processing Standard (FIPS)-compliant devices, Android users must enable a secure PIN on their devices to make them Federal Identity, Credential, and Access Management (FICAM)-compliant. Otherwise, they can't access your org. Some Android hardware isn't certified as FIPS-compliant. Consider the security implications of using hardware keystores against the need for FIPS compliance.
Start this task
-
In the Admin Console, go to .
- On the Setup tab, go to Okta Verify and click .
- Configure the settings and save your configuration.
Settings
Settings | Values |
Enrollment options | Configure the security of Okta Verify enrollments:
|
Verification options | Choose what authentication methods end users are prompted with when they authenticate. Regardless of the authentication methods that you select, users are enrolled automatically in all of them. They appear in the Okta Verify Account Details page as Authentication Code, Push Notification, and Okta FastPass.
|
Okta FastPass | This section appears if you select Okta FastPass (All platforms). Show the "Sign in with Okta FastPass" button: Select this checkbox to display the Sign in with Okta FastPass button on the Sign-In Widget before the username is entered. This checkbox isn't selected by default. Select this setting if you want to encourage your users to enroll in Okta FastPass. Clear the setting if you want to deploy Okta FastPass to your users gradually. |
Device passcode or biometric user verification |
Define how users can enroll in Okta Verify or Okta FastPass. User verification can vary by device model and operating system. To understand how your configuration impacts the user experience, see User experience according to Okta Verify user verification settings.
|
Push notification (number challenge) | Choose whether to include a number challenge with an Okta Verify push notification. The number challenge verifies that a sign-in attempt to an app protected by Okta came from the intended user and not from an unauthorized person. It presents a number in the Sign-In Widget and pushes a notification to Okta Verify on the user's mobile device. The user selects the number that matches what they see in the Sign-In Widget. If the selection is correct, the user can access the protected app. The number challenge helps prevent phishing by ensuring that the user possesses both Okta Verify and the device initiating the sign-in attempt. See the end-user documentation: Sign in with an Okta Verify push notification (iOS) or Sign in with an Okta Verify push notification (Android).
|
FIPS Compliance | Restrict Okta Verify enrollment to FIPS-compliant Android or iOS devices. When this option is enabled, Okta Verify uses FIPS 140-2 validation for all security operations. Okta also meets FedRAMP FICAM requirements by relying on FIPS-validated vendors.
|
About risk scoring
You can combine a number challenge with Okta Risk Scoring to increase the security of sign-in flows to your Okta org. Okta assesses risk based on multiple criteria, including details about the device and its location. When enabled, Risk Scoring assigns a risk level to each Okta sign-in attempt, and admins can configure a sign-on policy rule to take different actions based on the risk level of the sign-in attempt, such as prompting for multifactor authentication if the sign-in attempt is considered high-risk. See Risk Scoring for instructions.
Known limitations
- Authentication with biometrics isn't supported on Apple Watch.
- For Android devices, only biometric methods classified by Google as Class 3-Strong (facial and fingerprint recognition) are supported.
- Biometrics isn't supported on Android 12 if Okta Verify is installed on the work profile. End users receive a Keystore not initialized error and they can't enable biometrics. To unblock affected users, set User verification to Preferred, and then advise end users to skip the biometrics enablement step.
- Push notifications with number challenge aren't supported in LDAPi and RADIUS integrations. In this case, configure an MFA authenticator other than Okta Verify.
-
Okta Verify authentication doesn't function properly if HTTP Strict Transport Security (HSTS) is enabled for loopback. Users that develop, host, or debug websites locally often enable this option. If your organization doesn't require HSTS for security reasons, advise your users to remove the Okta URL from the list of domains that require HSTS. Consult your browsers' documentation for instructions and share them with your users.
Next steps
Continue with the procedure in Enroll Okta Verify in an authentication enrollment policy.
Related topics
Configure the Okta Verify authenticator