<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Okta Feature: Require Phishing-Resistant Authenticator to Enroll Additional Authenticators

Multi-Factor Authentication
Okta Identity Engine

Overview

Okta's platform provides the option to require that users authenticate themselves using a phishing-resistant authenticator before enrolling in additional authenticators. The term "phishing-resistant" refers to an authentication method that does not involve sharing information, such as passwords or OTPs, via text messages or authentication apps. Two examples of phishing-resistant authenticators are FIDO2 (WebAuthn) and Okta FastPass, which use secure authentication methods that do not create shareable information.

Applies To

  • Okta Identity Engine (OIE)
  • Multi-Factor Authentication (MFA)

Solution

To enable this feature, in the Okta Admin Consoleclick Settings > select Features > choose Require phishing-resistant authenticator to enroll additional authenticators.

Require phishing-resistant authenticator to enroll additional authenticators 

 

When enrollment policy restrictions prevent a user from enrolling in two authenticators that meet the assurance requirements, they will be unable to add more authenticators until they satisfy the necessary policy requirements. If this happens, the user may encounter an error message indicating that additional authentication methods cannot be added.
Sign in 
 

If a user is not registered with a phishing-resistant authenticator and the Require phishing-resistant authenticator to enroll additional authenticators feature is turned on for their organization, the user can still add more authenticators by using their current authenticators to verify their identity.

 

Related References

Loading
Okta Support - Okta Feature: Require Phishing-Resistant Authenticator to Enroll Additional Authenticators