Okta Verify Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005uclsaa&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fokta-verify-1346622682
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Okta Verify
Published: Jan 31, 2018   -   Updated: Jun 22, 2018

 

 

okta-doc-source

Okta Verify

Okta Verify is an MFA factor type designed for end user identiy verification with the Okta service. Okta Verify is available for iPhone, Android, and Windows devices.

 

This section contains information on how to do the following with Okta Verify:

Enabling Okta Verify as an Administrator
  1. Log into Okta as an administrator.

  2. Navigate to Security > Multifactor. Okta Verify is selected by default.

  3. Set the status to Active.

The previous steps allows you to perform an org-level update. To enable Okta Verify with Push on a per-group level, see Multifactor Policies.

Enabling Okta Verify as an End User

The first time end users sign in to their org after you configure this factor, the Extra verification is required for your account page displays on their device. To begin the setup process, they must do the following:

  1. Click Setup.
  2. From their mobile device, end users follow the instructions to download and install the Okta Verify app, and then click Next.
  3. End users configure Okta Verify to link it to their Okta account. They can scan a QR code or manually enter a code.

Setup using a QR Code

  1. On their phone, end users start the Okta Verify app, tap Add Account on iOS, or + on Android.
  2. End users scan the QR code on their computer screen using their device camera.

SetupOktaV_350x204

The pass code generator screen appears and generates pass codes that end users use when prompted for extra verification. End users have 30 seconds to enter the pass code before it generates a new one.

Manual configuration

You can also configure an account manually by doing the following:

  1. On their mobile device, end users start the Okta Verify app, then tap Add Account on iOS, or + on Android.
  2. From the barcode page, they tap No barcode?.
  3. In the Okta Account field, end users enter their Okta username (for example, ted@mycompany.com).
  4. From their computer, end users click the Can’t scan the QR code link to obtain the secret key which they enter in the Secret Key field on their mobile device.
  5. End users tap Save.

The pass code generator screen appears and generates the codes end users use when they are prompted for extra verification. End users have 30 seconds to enter the pass code before it generates a new one.

Use Okta Verify with multiple accounts

End users can use Okta Verify with multiple accounts and even organizations outside of Okta.

Add an account

To add a new account, users simply tap Add Account on iOS, or + on Android. When multiple accounts exist, accounts are displayed in the order in which they were enrolled — the oldest on top.

OV_1_smallOktaVerifyMultipleAccounts_200x351

Reorder accounts

  • iOS: Tap Edit to access edit mode. Then, hold the gripper icon on the right-side of the tile and drag the tile to the preferred location.
  • Android: Tap the three dots to the right of the account that you want to move. Tap Reorder, then hold the gripper icon on the right-side of the tile and drag it to the preferred location.

OV_3OktaVerifyActions_217x384

Edit an account name

  • iOS: First tap Edit in the upper-right corner to enter edit mode, then tap the organization name you want to change.
  • Android: Tap the three dots icon on the right side of the account you want to edit, then tap Rename.

Delete an account

  • iOS: Tap Edit to access the edit view, then tap the red delete icon to remove the account from the list.
  • Android: Tap the three dots to the right of the account you want to delete, then tap Delete.

On both iOS and Android, end users are asked to confirm that they want to delete the account before the action is completed. Account deletion is permanent and prevents sign on for the account.

OV_2

Using Okta Verify with Apple Watch and Android Wear

Okta Verify is also available for use with Apple Watch and Android Wear. Your end users can search for and install Okta Verify as they would any other app. If Okta Verify is configured as an authentication factor for your org, your end users can easily link Okta Verify to their Okta account, as described in Multifactor Authentication.

Apple Watch

The Okta Verify for Apple Watch app allows you to view and accept or deny Okta Verify with Push challenges from your watch screen. The watch also displays a rotating one-time password to allow authentication if Push is not enabled, or if internet connectivity is unavailable.

Once you've paired your watch with an iPhone, the Okta Verify app installs automatically. Note that while the app can be opened and used at any time, the watch only receives notifications from the iPhone if it is locked. This is per Apple design.

OVWatch

Android Wear

The Okta Verify for Android Wear app allows you to view and accept or deny Okta Verify with Push challenges from your watch screen. End users can also access the OTP on their Android Wear devices.

Using Push Authentication with Okta Verify

Push notifications enable users to verify their identity with a single tap on their mobile device, without the need to type a code. Users gain access to their apps easily while retaining the same higher level of security. This feature is available for iPhone, Android, and Windows devices.

For more information about using Okta Verify Multifactor Authentication (MFA), see Multifactor Authentication.

Once you enable Okta Verify with Push Authentication for your org (see Admin Configuration below) and set the appropriate policy, the next time your end users sign in to Okta, they're prompted to configure it for their account. The device UI displays instructions to guide users through the configuration process, as described in the following sections. For the end user experience after enablement, see End User Experience After Enablement.

Note: If you need to rename your existing Okta subdomain for any reason, security dictates that your active end-user Okta Verify enrollments be reset. For more details on renaming subdomains, see Renaming Your Okta Subdomain.

 

RADIUS Support

If you wish to use Okta Verify with Push in conjunction with the Okta RADIUS agent, you must upgrade to version 2.1.5 or later of the agent. For the version history and the current agent version, see Okta RADIUS Server Agent Version History. The previous steps allow for an org-level update. To enable Okta Verify with Push on a per-group level, see Multifactor Policies.

End User Configuration

Your end users first need to upgrade to the latest version of the Okta Verify Mobile app (Version 2.0.5 and above for iPhone, Version 1.0.0.6 and above for Windows devices, and Version 2.0.5 and above for Android).

Note: If you need to rename your existing Okta subdomain for any reason, security dictates that your active end-user Okta Verify enrollments be reset. For more details on renaming subdomains, see Renaming Your Okta Subdomain.

If the user doesn’t already have Okta Verify configured, they'll need to go through the standard Okta Verify enrollment process to configure it.

Do so as follows:

  1. From your (end user) Okta Home page, click the drop-down menu next to your name, then select Settings.
  2. Scroll down to the Extra Verification section and click Configure Factor adjacent to Okta Verify Mobile App.

The Set Up Okta Verify screen appears.

  1. Choose your device type (Apple, Android, or Windows):

3_OktaVerifySetup_381x442

  1. Click Next.
  2. Scan the bar code that appears with your device. If you have issues scanning the bar code for any reason, click the Problems scanning barcode? link.

4_SetupOktaV_395x230

  1. From this screen, you can select to have an activation link sent to an email address, a cellphone via SMS; or to setup Okta Verify manually, without Push Authentication. If you select the manual option, the screen expands as follows:

5_OV_ManSetup_331x364

  1. Continue configuring Okta Verify manually, as described in Multifactor Authentication.
End User Experience

The flow for end user identity confirmation via Okta Verify is as follows:

  1. The Okta administrator configures Okta Verify in the administration console.
  2. The end user logs in to Okta and are prompted to verify their identity via Okta Verify.
  3. The end user chooses to verify their identity by having a push notification requesting sent to their mobile device or by entering a verification code.
  4. The end user must approve the push notification or enter the verification code manually as displayed in the Okta Verify app.
  5. Upon successful verification, the end user is logged in automatically to Okta and redirected to their account dashboard.

The Okta Verify Authentication challenge screen is displayed when an end user attempts to log in to Okta:

oktaverify-signin-autopush_300x325

 

On mobile devices, end users are given an option to either enter a verification code or receive a push notification to confirm their identity.

Okta Verify Code

Okta Verify generates numbers using the industry standard Time-Based, One-Time Password Algorithm (TOTP). Users can create multiple accounts for multiple organizations, including accounts outside of Okta.

With Okta Verify, end users can generate a six-digit code to sign in to Okta if additional verification is required. To authenticate using this verification code, open Okta Verify on your device and enter the one-time code displayed on the screen.

 

Push notifications

Okta Verify Push Notification service sends a notification to an end user's mobile device and requests approval so the end user can sign in to Okta successfully. The push request is valid for up to five minutes once sent from a login session.

To use push notifications, select Send Push to send a push authentication to your device. There are two ways to have push notifications sent to your device - manually or automatically.

  • A notification is sent to your device manually once you tap Approve to sign in to your account.

  • A notification is sent to your device via the automatic push option:

    Select Send push automatically in your browser to enable automatic push notifications from the assigned mobile device.

    Note that in order to enable automatic push notifications, you must first send a manual notification to your device. Once the initial verification has taken place and Send push automatically is selected, all future notifications will be sent to your device automatically.

 

Upgrade to Okta Verify with Push

If you want to prompt your users to upgrade to a version of Okta Verify that supports Push Authentication, first enable that functionality. For details see Admin Configuration, below. When enabled, the next time your end users use Okta Verify, a Please update your profile screen displays with a button allowing them to immediately upgrade. Your end users can either upgrade or click Remind me later to continue without upgrading. If they chose to be reminded, a prompt is shown the next time they sign in.

Enabling and Configuring Okta Verify with Touch ID

This is an Early Access feature. To enable it use the Early Access Feature Manager as described in Manage Early Access Features.

Touch ID uses Touch ID technology to guard against unauthorized use of Okta Verify. You can configure an end-user fingerprint request, which appears after the initial MFA challenge. If the user's device is lost or stolen, no one else can gain access to it. This feature is currently only available for iOS devices.

The following assumes that you have enabled Okta Verify for your org. If not, see Admin Configuration for information on this initial configuration.

Admin configuration for Okta Verify with Touch ID

When Touch ID is enabled, your end users are prompted to configure Touch ID for their device during enrollment or authentication challenge. The device UI displays instructions to guide users through this configuration process, as described in End User Configuration for Okta Verify.

  1. Log into Okta as an administrator.

  2. From the Okta Dashboard, navigate to Security > Multifactor. Okta Verify is selected by default.

  3. Under Okta Verify Settings, click Edit.

  4. Select Require TouchID for Okta Verify.

  5. Click Save.

Note: Enabling Require TouchID for Okta Verify does not prevent end users with devices that do not support TouchID from using Okta Verify to authenticate into your org.

End User Configuration for Okta Verify with Touch ID

Your end users first need to upgrade to the latest version of the Okta Verify app (Version 2.5.2 for iOS).

End-users previously enrolled in Okta Verify with Push

If your end users are already enrolled in Okta Verify with Push, and you simply enable Touch ID for your org, there is very little setup required for your users. The next time they authenticate with Push, the response depends on whether their fingerprint has been captured by the native iOS device.

  • If the end users' fingerprint has not been captured by the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID Required screen on their device (as shown in Step 1 below).
  • If their fingerprint has been captured and saved on the iOS device, clicking Send Push on the Okta Verify authentication page activates the Touch ID for Okta Verify screen on the device (as shown in Step 3 below).
End-users Not Previously Enrolled in Okta Verify with Push

If the user doesn't already have Okta Verify configured, they'll need to go through the standard Okta Verify enrollment process to configure Okta Verify with Push. For steps on doing this, see Okta Verify Enrollment.

After the barcode step is completed, Okta automatically determines if Touch ID is required to complete the enrollment. If so, your end users will be prompted to configure Touch ID for their device. The user is not able to complete enrollment or gain access to their Sign-In page until their Touch ID setup is complete.

End users will flow through the following steps on their iOS device:

  1. The initial Touch ID prompt appears
  2. Screen Shot 2017-01-27 at 5.33.54 PM

  3. If they have not previously captured their fingerprint, they are directed to the native iOS Touch ID & Passcode setup screen. This screen does not appear if the iOS device contains a saved fingerprint.
  4.  

    Screen Shot 2017-01-27 at 5.34.20 PM

  5. The Touch ID for "Okta Verify" screen appears.
Screen Shot 2017-01-27 at 5.34.32 PM
  • The end-user provides their touch to the iOS device Home button.
  • Enrollment is complete. If Push is enabled, the end user clicks Approve; if Push is not enabled, a One-Time Password (OTP) screen appears.

    Screen Shot 2017-01-27 at 5.34.41 PM

End user challenge

Typically, when signing in with Touch ID, the end user experiences the following flow:

From the Okta Sign In page,

  1. Enter your username and password. The Okta Verify Authentication page appears.

  2. Depending on enablement, click Send Push or click the Or enter code link.

    Screen Shot 2017-01-27 at 5.34.52 PM

From your iOS device, the Touch ID for "Okta Verify" screen appears.

  1. Provide your touch to the iOS device Home button.

  2. If Push is not enabled, a the One-Time Password (OTP) screen appears and you can enter your code. If Push is enabled, click Approve, and you are automatically authenticated into Okta.

Note: If less than thirty seconds has elapsed since unlocking the device or since the last verified fingerprint was placed on the app, the Touch ID screen will not reappear.

Use multiple accounts

When multiple accounts exist, Touch ID accounts are distinct from the other authentication options in several ways.

Icons

Touch ID accounts are identified by their thumbprint icon and obfuscated numbers. End users touch the fingerprint icon to expose the authentication number. Screen Shot 2017-01-30 at 9.48.28 AM

These accounts are also distinct when Touch ID is required by an org admin. If an admin requires Touch ID authentication and it has not yet been setup by an end user, alert icons appear on each account. The user touches an alert icon, then the Touch ID Setup Required message appears with instructions for Touch ID setup in device Settings.

Screen Shot 2017-01-30 at 9.48.37 AM

Grouped authentication

If more than one Touch ID account is being used, verifying one account will simultaneously expose them all—every authentication number is visible. They remain for a one-minute grace period, then return to an obfuscated state.

Top