Does Okta support a cert based user authentication as a second factor? This is needed for application based services accounts authentication into G-Suite. Simply username/password is not secure enough to authenticate API calls from Okta to G-Suite. Thanks,
I am going to speak in terms of authentication and authorization here.
Authentication is how apps identify who users are. Typically, that means username (who) and password (verification). Authorization is how apps decide what a user is allowed to do. For Okta, a common use of authorization is to decide which applications a user has access to and which apps he does not.
Besides username and password, as a Multifactor Authentication, Okta uses:
- Okta Verify (by Push Notification or TouchId) - Google Authenticator - SMS Authentication - Symantec VIP - On-Prem MFA (by RSA SecurIP or Custom) - Duo Security - Yubikey - Security Question
So that is about MFA. Now regarding API Calls and information send over from Okta (outbound) or even inbound, we mainly use SWA (Secure Web Authentication) and SAML 2.0 and here's where I would like to draw your attention to. By using SAML 2.0 your users can be provisioned into a specific App. without even having passwords. SAML is using certificates for establishing trust between companies and this is one of the most secure ways of configuring an App. Let me provide to you some documentation as well:
To sum it up, Okta supports certificate establishments, but it is not considered as being a second factor authentication, as you mentioned, but it has more to do with the authorization of a user into an app. Also, it depends which apps. accept SAML 2.0 infrastructure, but G Suite does for sure.
Hopefully you got your answers here! Wish you all the best in your work, Alex!