Configure the temporary access code authenticator

Early Access release. See Enable self-service features.

The temporary access code (TAC) authenticator lets you generate a temporary access code from a user's Universal Directory profile. This authenticator helps users securely gain temporary access to Okta when they're onboarding and in temporary access scenarios, like when a user has forgotten their security key at home.

The admin enables this authenticator and then adds it to policies. When a user needs a temporary passcode, Okta admins with sufficient privileges do the following tasks:

  • Verify the user's identity.
  • View the user's profile.
  • Create the TAC.
  • Give the TAC to the user over a secure, out-of-band channel, like a phone call.

The user enters the TAC in the Sign-In Widget when they authenticate.

This authenticator is a knowledge factor and fulfills the requirements for user presence. As a single knowledge factor, it doesn't meet the Any 2 factor types requirement in policies. See Multifactor authentication.

To work with this authenticator using the Okta API, see Temporary access code authenticator integration guide.

Before you begin

Complete the tasks in Configure groups, roles, and resources for the TAC authenticator before you add and configure the TAC authenticator.

Add the TAC authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the authenticator tile.

Configuration options

  1. Configure the following options:

    • Minimum expiry length: Enter the length of time and select a unit of time.
    • Maximum expiry length: Enter the length of time and select a unit of time.
    • Default expiry length: Enter the length of time and select a unit of time.
    • Character length: Enter the number of characters that appear in a TAC.
    • Code complexity: Select the options that you want to include in a TAC:
      • Numbers: Include numbers in TACs. This is a NIST requirement.
      • Letters: Include letters in TACs.
      • Special characters: Include special characters in TACs.
    • Allow multi-use codes: Select Allow Admin to create multi-use codes to enable users to use their TACs multiple times.

  2. Click Add. The authenticator appears in the list on the Setup tab.

Change the TAC authenticator status in the authenticator enrollment policy

When you add the TAC authenticator in Okta, it's automatically added to the authenticator enrollment policy with a status of Optional. This status means that groups of users can have TACs generated for them. You can change the status to Disabled if you don't want TACS to be available to a group of users. You can't set the status of this authenticator to Required. Users aren't prompted to enroll in this authenticator even though it's in the authenticator enrollment policy. If you disable this authenticator, users don't see prompts for a TAC on the Okta sign-in page. The option to generate a TAC still appears in the user's Universal Directory (UD) profile, and admins can still generate a TAC for them.

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.
  3. Create a policy or edit an existing one. See Create an authenticator enrollment policy.

  4. By default, the status is set to Optional. To disable it, set the status to Disabled. If it was previously disabled, select Optional to enable it again.

Require a TAC in an authentication policy

  1. Create an authentication policy. See Create an authentication policy.
  2. Add an authentication policy rule. See Add an authentication policy rule.
  3. In the User must authenticate with section, select an option.
  4. In the Authentication methods section, select Allow specific authentication methods and then enter Temporary Access Code in the field.
  5. In the Prompt for password authentication section, select Every time user signs in to resource.

Include the TAC authenticator in an authentication method chain

An authentication method chain lets you require users to verify their identity using authenticators in an order that you configure. See Authentication method chain.

  1. In the authentication policy rule, go to the User must authenticate with dropdown menu and select Authentication method chain.
  2. Select Temporary Access Code as one of the authentication methods. If you want users to authenticate with another method before they're prompted for a TAC, select the other method as the first authentication method. Select Temporary Access Code as the second method.
  3. Select Every time user signs in to resource.
  4. Configure other settings as required.

Edit or delete the TAC authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

Create a TAC

A user can only have one active TAC at a time. When you create a new TAC, any existing TACs are automatically revoked.

  1. In the Admin Console, go to DirectoryPeople.

  2. Find the person that you want to create a TAC for.
  3. From the More actions menu, select Create Temporary Access Code.
  4. In the dialog, configure the length of time that the TAC is valid for. Enter a value in the length field within the minimum and maximum allowed values. See the Configuration options section.
  5. Select an option from the unit of time dropdown menu.
  6. Select One-time use or Multi-use. These options appear if you enabled multi-use TACs when you configured this authenticator.
  7. Click Create code.
  8. Okta displays the TAC. Ensure that you've verified the user's identity before you give them this code.

    The TAC doesn't reappear after you close the dialog. Only the creation and expiry time of the TAC appear.

  9. To reset the user's authenticators, click Reset authenticators. This is helpful in situations where a user has lost their device.
  10. To revoke the TAC immediately, click Expire code. To create another TAC, repeat this procedure.
  11. Click Close.

Reset authenticators and expire codes for existing TACs

You can only do this procedure when there's an existing TAC for a user. Complete the steps in Create a TAC before you do this procedure.

  1. In the Admin Console, go to DirectoryPeople.

  2. Find the person that you created a TAC for.
  3. From the More actions menu, select View active Temporary Access Code details. The Temporary Access Code dialog appears.
  4. To reset the user's authenticators, click Reset authenticators. This is helpful in situations where a user has lost their device.
  5. To revoke the TAC immediately, click Expire code. To create another TAC, complete the steps in Create a TAC.
  6. Click Close.

End-user experience

  1. A user calls the help desk to ask for a TAC. There may be many reasons why they would request this code, including the following situations:
    • The user forgot their YubiKey at home.
    • The user is a new employee and is onboarding. They haven't enrolled their authenticators yet.
    • They couldn't authenticate with their security methods and their account is locked.
  2. The help desk agent verifies their identity over the phone, or in another way that their organization prefers.
  3. If the help desk agent successfully verifies the user's identity, they create a TAC and give it to the user.
  4. The user goes to their Okta sign-in page.
  5. The user enters the TAC when the Sign-In Widget prompts them for it. They might also be required to authenticate with other methods if their sign-in policies require it.
  6. The user gains access to Okta or their app.

Related topics

Global session policies

Authentication policies

Authenticator enrollment policies