Configure a custom authenticator

A custom authenticator is a possession factor. Depending on your configuration, it can also act as a biometric factor. It verifies user presence, and it’s hardware-protected and device-bound. The custom authenticator allows you to use your own mobile app to verify a user’s identity. The authenticator interacts with the Devices SDK, allowing you to embed push notifications and biometrics directly into your mobile app. As a result, the users stay on your mobile app during the entire sign-in process.

Before you begin

Integrate a custom authenticator (developer documentation).

Add the custom authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the Custom Authenticator tile.

Configure options for the authenticator

Configure the following options:



Authenticator name Name for the authenticator. This name is displayed to end users when they sign in.
Add to existing application Select the app that receives the push MFA prompt.

User Verification

Choose whether the user must provide a PIN or biometric verification during authentication.

Preferred: User verification is optional.

Required: User verification is required during setup.

Authenticator logo

Select the logo for the authenticator. The user sees this logo on the authentication pages.

Browse files: Upload your logo. It must be an SVG file less than 1 MB. For better quality, use a square logo with a transparent background.

Use default logo: Use the default logo.

APNs configuration

For iOS, select the connection to the Apple Push Notification service (APNs) that you want the custom authenticator to use. Select the Production Bundle ID and Debug Bundle ID for the connection to the APNs that you want to use.

FCM configuration

For Android, select the connection to the Firebase Cloud Messaging (FCM) service that you want the custom authenticator to use.

  1. Select the checkbox to agree to the Okta terms and conditions mentioned in the Admin Console.

    By adding this feature, you agree on behalf of the entity you represent that it's your sole responsibility to provide any required notices and disclosures to end users, including any necessary information from the Okta Privacy Policy.

  2. Click Add. The authenticator appears in the list on the Setup tab.

Add the custom authenticator to the authenticator enrollment policy

In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the custom authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

End-user experience

During the sign-in process, the end user selects your mobile app for a push notification. The app sends the notification to the end user’s another device. After they successfully complete the prompt, they’re signed in.

Related topics

Multifactor authentication