Okta Verify Interaction When Blocking VPN or Proxy Through Dynamic Zones
Last Updated:
Overview
When an end user connects to a Virtual Private Network (VPN) on a mobile device that is blocked by a Dynamic Network Zone, Okta Verify authentication behavior varies based on the scenario. The blocked VPN service prevents initial Okta Verify enrollment, but existing enrollments may still process Push and One-Time Password (OTP) requests successfully. The end user experiences inconsistent Multifactor Authentication (MFA) prompt deliveries or enrollment failures when attempting to authenticate on a separate machine while the blocked VPN remains active on the mobile device.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta Verify
- Dynamic Network Zones
Cause
An end user attempts to authenticate on a separate machine while using a VPN on a mobile device that is blocked by a Dynamic Network Zone. When Okta sends the MFA prompt to the mobile device, the blocked VPN service interferes with the Okta Verify application, depending on the specific authentication use case.
Solution
How does Okta Verify function when a mobile device uses a blocked VPN?
Review the following scenarios to understand how Okta Verify processes existing sessions, Push notifications, FastPass requests, and initial enrollments when a blocked VPN is active on the mobile device.
- Existing Okta Verify Session: If the end user already has an active session in the Okta Verify application on the mobile device, Okta delivers the prompts even with the VPN active. Okta Verify enrollments last indefinitely on a mobile device, provided the user does not restore or reinstall the application from a backup.
- Push and OTP: Push notifications and OTP function correctly because Okta does not require a response location. Okta relies on the user accepting or rejecting the request.
- FastPass: FastPass functionality varies. The blocked VPN can break phishing resistance, causing FastPass to work in some scenarios and fail in others. For example, iCloud Private Relay breaks phishing resistance with FastPass. Review the Phishing resistance in unmanaged iOS devices documentation for more information.
- Initial Enrollment: If the VPN is active and an end user attempts to set up or enroll in Okta Verify for the first time on the mobile device, Okta blocks the enrollment.
