This article explains different scenarios for using the Okta Verify (OV) app for MFA that are seen when an end user has a VPN on their phone that is blocked by the Dynamic Network zone.

• Okta Verify (OV)
• Dynamic Zone

If the end user is using a VPN on a phone that is blocked by a Dynamic network zone and tries to authenticate on a different machine when the MFA prompt comes for Okta verify on the same phone, they might not be able to use OV on the phone (depending on the use case) to provide MFA to authenticate the user due to the blocked VPN service.

If the users have VPN on their phone/mobile device and log into their work laptop without VPN, Okta Verify(OV) will work on their mobile device with VPN, depending on what scenario they are facing:

Below are two scenarios that an end user may face:

1. If the end user already has a session on the Okta Verify app on their phone, they should receive the OV prompts even with the VPN on their phone. Okta Verify enrollments last indefinitely on a phone, provided the app is not restored or reinstalled from a backup.

1. 1. Push and OTP will work as Okta is not looking for a response location. Okta relies on the user accepting or rejecting the request.

   2. Fastpass—This would depend. It could ultimately break phishing resistance, so it could work in some scenarios and break in others. For example, iCloud Private Relay breaks phishing resistance with FastPass. For more information, please check the Phishing resistance in unmanaged iOS devices documentation. 

2. If VPN is turned on and a user tries to set up/enroll (Initial) OV on his phone, it will be blocked. 

Related References

• Phishing resistance in unmanaged iOS devices