Okta Basics Curriculum: Implement Multi-factor Authentication (MFA)
A definition to start –
Multi-factor Authentication: An authentication method that uses two (or more) different types of evidence to provide their identity. The three most common authentication factors are:
a) something you know (passwords, etc)
b) something you are (fingerprint, iris scan, etc)
c) something you have (swipe card, software token, etc)
Okta currently offers four different types of MFA for users and accounts –
- Soft token with Okta app – user authenticates with a tap on the Okta app on their phone or Soft token on mobile with Google Auth – user authenticates with a one-time-password (six digit code) from the Google Authenticator app on their phone
- SMS authentication – user authenticates with a token that is texted to their phone or Voice call authentication – user authenticates via inbound phone call
- Third party authentication – user authenticates with a third party app/token/fob (Yubikey, RSA SecurID, etc)
- Security Questions – user authenticates (during account setup) with a security question that only they know the answer to (unless they tell everyone on Facebook while filling out a questionnaire)(note that security questions are not technically a second ‘factor’ in normal situations if the user is also using a password – both of these are ‘something you know’)
Multifactor options are under the Security tab in the Okta dashboard
Each option on the above page needs to be activated before they’re available as an option for users. Once they’re activated, you move on to the multi-factor enrollment policy, which will prompt users to enroll in MFA once it is enabled. Okta allows you to set different policies for different groups, if needed, and you can also decide which MFA factors are required vs optional.
The next step after MFA is configured is setting up an Okta sign-on policy. From Security > Authentication, you can set up new sign on policies from the ‘Sign On’ tab.
Once you add a new policy for a new group, you’ll be prompted to set up a rule for that specific policy – as you can see below, you dictate to Okta whether someone will be authenticated or not, depending on how they attempt to log in and authenticate. This rule also allows you to decide how long the session will last before the user needs to re-authenticate.
Okta also allows you to set sign-on rules for specific applications if needed – from the application’s profile page, click the Sign On tab. At the bottom of the page, the Sign On Policy can be added and built out with specific rules.