About Multifactor Authentication
Multifactor Authentication (MFA) is an added layer of security used to verify an end user's identity when they sign in to an application.
An Okta admin can configure MFA at the organization or application level. If both levels are enabled, end users are prompted to confirm their credentials with factors both when signing in to Okta and when accessing an application.
To learn more about admin role permissions and MFA, see Administrators.
MFA factor type comparison
| Factor Type | Security | Deployability | Usability |
Phishing Resistance |
Real-Time MITM Resistance |
| Passwords | Weak | Strong | Strong | Weak | Weak |
| Security Questions | Weak | Strong | Moderate | Weak | Weak |
| SMS / Voice / Email | Moderate | Strong | Strong | Moderate | Weak |
| Push Verification | Strong | Strong | Strong | Moderate | Moderate |
| YubiKey OTP | Strong | Strong | Strong | Moderate | Weak |
| WebAuthn | Strong | Moderate | Strong | Strong | Strong |
Push verification, such as with Okta Verify Push, is more effective against traditional phishing than OTP. However, for stronger resistance, use a FIDO-based factor, such as WebAuthn, instead.
YubiKeys can be deployed in OTP mode and/or as a WebAuthn factor based on FIDO2 standards.
Enable MFA factor types
- In the Admin Console, go to Security > Multifactor > Factor Types.
- For each factor type, select Active or Inactive to change its status. This setting determines whether the factor type can be enabled for end users, depending on MFA factor enrollment policies.
- For each factor type, configure the available options displayed based on your security requirements.
Softlock
Softlock can be configured for password policies and can also be used for delegated authentication.
- MFA autounlock can only be enabled and defined in a password policy.
- The unlock period can customized.
- If autounlock is not enabled in the password policy, it won't be enforced at all.
- This lockout counter is shared across all factor types; this means that a user may fail in their attempt to sign in using a variety of MFA factors before their account is locked out.
- Active Directory-sourced users can take advantage of the Okta Self Service feature to unlock their account. However, LDAP-sourced users must contact their administrators to unlock their Okta account.
See the Lock out and About lockouts sections in Configure a password policy for details.
Third-Party MFA Providers with Okta
Okta's native MFA method, Okta Verify, balances ease of use with security. However, sometimes circumstances dictate your choices. Feedback from hundreds of Okta customers currently using Okta for MFA exposed a number of scenarios where a third-party MFA provider was needed. Some customers had a pre-existing investment in a legacy MFA provider and were wary of the cost and effort in changing their user experience. Others required the high-level assurance that hardware tokens can deliver for a subset of privileged users. Still others were in a state of transition—eager to adopt Okta Verify, but reluctant to migrate from their old provider too abruptly.
While authentication methods do matter, they are only a part of the story with Okta. Our flexible policy framework, catalog of thousands of app integrations, and contextual access control allow our customers to broadly deploy MFA across their organizations. You are not restricted to Okta Verify—various third-party authentication methods are compatible and seamless with the Okta identity platform. Okta can even support multiple factors simultaneously, allowing organizations to migrate between factors or support heterogeneous user environments.
This is why Okta expertly supports several third-party MFA providers. Click to view a table listing supported providers and details about their integration.
| Vendor | Integration Type | Note | Supported Authentication Methods | Documentation |
|---|---|---|---|---|
| Symantec VIP | Native | These integrations are built upon the providers’ APIs or WebSDKs. They vary in feature support because not all features are similarly accessible. | OTP | Configuring Multifactor Authentication |
| Duo Security | Native | OTP, Push, Voice | Configuring Duo Security | |
| Google Authenticator | Native | OTP | Configuring the Okta RADIUS Agent | |
| YubiKey | Native | OTP, Push OTP | Using YubiKey Authentication in Okta |