Enabling 2FA on Okta

One of the basic requirements for any security framework happens to be enabling MFA on all critical systems possible.

There are multiple ways to setup MFA on Okta, below are the steps for each of the methods

Okta Verify

Okta Verify is a mobile app that verifies your identity in one of two ways. Okta can send you a push notification that you approve using Okta Verify. Alternatively, Okta Verify can generate a six-digit code that you enter into your Okta login screen to access your required app.

Install Okta Verify

1. Download the Okta Verify app from the Apple App Store or Google Play onto your primary mobile device.

2. Using your computer’s browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

3. Fill in your company-issued credentials and click Sign In.

4. When prompted to enroll in Okta Verify, open the Okta Verify app on your phone and scan the barcode that appears in your computer’s browser.

5. The next time you log into Okta, it should offer to send you a push notification or ask you for a numeric code. If you choose the push notification, then approve it when it arrives on your phone. If you choose to use the code, then access the code in Okta Verify and enter it into your browser.

Note: You can only register Okta Verify on one device at a time. Authenticating on a second device cancels authorization for the first one.

Prefer a video walkthrough?

• View Video Overview: Set up Okta Verify with Push for MFA

• View Video Overview: Set up Okta Verify, OTP for MFA

SMS authentication

SMS Authentication uses the text messaging service on your cell phone to send you a one-time login code. You cannot enter this code by approving a push notification as you can in Okta Verify. Instead, you must type it in by hand.

Set up SMS authentication

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. On the Setup: SMS screen, type your phone number.

6. Click Send code. Type the SMS code received by your mobile device into the Receive a Code via SMS to Authenticate screen on your computer and click Verify.

Prefer a video walkthrough?

• View Video Overview: Set up SMS for MFA

Voice call

This factor calls you via your smartphone or landline and reads an access code aloud. You then type the code into the browser to access your app. This is great for people who don’t have access to a cell phone because it doesn’t require push notifications or text messages.

Set up voice call authentication

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. On the Setup: Voice Call Authentication screen, enter your telephone number.

6. Click the Call button.

7. A “Call is in progress…” message appears, followed by a phone call. Enter the provided code into the Enter Code box.

8. Click the Verify button, then Done, if needed.

Google Authenticator

This is a third-party app that generates a six-digit code for you to type into your Okta login screen. You have 30 seconds to input the code before it generates another. If you miss the window, use the next code to log in. After five unsuccessful attempts, Okta will lock your account for protection and you must contact an administrator for help.

Set up Google Authenticator

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. On the Set Up Google Authenticator screen, click the device type icon. Click Next. A barcode will appear on your screen.

Install the Google Authenticator app on your device

1. On your mobile device, open the Apple App Store or Google Play and install Google Authenticator.

2. Open the Google Authenticator app.

3. Tap Scan a Barcode. (You might need to install a barcode scanner app; follow the prompts and then re-tap Scan a Barcode.)

4. Hold your device up to the computer screen and scan the barcode.

5. Click Next.

6. Type the Google Authenticator code that appears on your mobile device into the Setup Google Authenticator screen on your computer and click Verify.

Prefer a video walkthrough?

• View Video Overview: Set up Google Authenticator for MFA

U2F security key (FIDO 1.0)

Some users prefer to authenticate using a physical security key. Some companies create hardware keys that can authenticate you via your computer’s USB port or via near-field communications (NFC). These comply with the universal second factor (U2F) standard hosted by the FIDO Alliance.

Okta supports U2F keys including YubiKey and Google’s Titan Security Key. If you already use one of those, then selecting this factor in Okta lets you to stick with the program you already know.

Some browsers feature native U2F support while others need a browser extension to use it.

Authenticate using U2F

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. Find your security key and follow the prompts to set it up. Click Done.

6. The next time you sign in, you’ll see a panel with instructions for signing in via your security key.

Web authentication (FIDO2)

FIDO2 offers new methods to authenticate across various websites and devices. If you select Security key or Built-in authenticator at sign-in, Okta prompts you to register an authenticator via Web Authentication. It’s a bring-your-own-authenticator model similar to U2F, but built right into your web applications.

Authenticate using FIDO2

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. Choose the Security key or built-in authenticator.

6. Follow the on-screen prompts to register an authenticator via Web Authentication.

YubiKey OTP

Produced by Yubico, a YubiKey is a physical MFA device that delivers a unique password called a one-time password (OTP) every time it's activated. Using a USB connector, just press on the YubiKey hard token to generate a new one-time password (OTP) password which Okta will validate.

Besides the physical YubiKey OTP, YubiKey also supports U2F and, depending on the key series, WebAuthn.

Authenticate using YubiKey

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. When prompted to choose an MFA option, select YubiKey.

6. Follow the dialogue directing you to insert the YubiKey into your USB port and then tap the YubiKey to get a verification code.

7. Click Verify.

Duo

Duo offers its own MFA and mobile access products. Okta supports Duo, ensuring that your existing processes can continue to operate hand-in-hand with Okta MFA. This enables you to keep using your existing Duo-compatible authentication factors to verify your identity.

Authenticate using Duo Security

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. When prompted to choose an MFA option, select Duo Security.

6. The setup wizard launches. Click the Start Setup button to continue.

7. Select a device (mobile phone, tablet, or landline) and click the Continue button.

8. Either click the Enroll another device button to repeat this process to enroll a different device or click the Done button

9. Return to Okta, and sign in again.

10. Select the authentication type supported by your device to verify your identity: Duo Push, Text Me, or Call Me.

Symantec VIP

Available for free in the United States and Canada in both enterprise and SSO editions, this factor enables you to sign in using push notification or numeric code.

Install Symantec VIP on your device

1. On your mobile device, open the Apple App Store or Google Play and install Symantec VIP.

2. Get your Symantec VIP credential ID and security code from your system administrator.

3. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

4. Fill in your company-issued credentials and click Sign In.

5. You will be prompted to Setup or Configure Factor.

6. Enter your ID and security code and click Register.

On-premises MFA

This factor uses an RSA hardware dongle device or soft token to generate an authentication code.

Set up On-premises MFA

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. When prompted to choose an MFA option, select On-Prem MFA.

6. A dialogue will appear directing you to insert your dongle into your USB port, or input your authentication code.

7. Click Verify.

Security Questions

To sign in, select a security question from a list and enter the correct response.

Authenticate using security questions

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. Select the Set Up Security Questions option.

6. Choose a security question, enter an answer, and then click Save.

The next time you sign in, answer the security question when prompted.

Email Authentication

Although we do offer email as a factor for convenience and to help our customers migrate from legacy identity platforms, we do not consider it to be a secure, modern method for secondary authentication. We strongly recommend against turning on email authentication. This experience is an insecure method of additional verification because:

• Third parties can compromise email addresses.

• Email often travels in plain text using insecure protocols.

• People often use email for primary credential recovery.

Set up email authentication

1. Using your browser, navigate to your organization’s Okta page, e.g. [company.okta.com].

2. Fill in your company-issued credentials and click Sign In.

3. You will see a prompt on your device that “Extra verification is required for your account”

4. Click Setup or Configure Factor.

5. Choose Email. Type in your email, and click Verify.