SMS has played an important role as a universally applicable method of verifying a user’s identity via one-time passcodes. However, SMS offers limited assurance, and Okta has long recommended moving away from phone-based authentication.

Although customers are free to choose to continue to use SMS and voice for authentication by bringing their own provider, Okta urges customers to consider higher assurance out-of-the-box authenticators such as Okta Verify, FastPass, and FIDO2 Webauthn.

• MFA Authenticator Options

The following are alternative options to SMS and voice for customer consideration:

Option 1. Mobile authenticator apps

Mobile authenticator apps traditionally support OTPs within the app, or, ideally, push notifications, which are more secure than OTPs. When a user enters their credentials into a web app, they are then prompted to either enter the OTP or accept the push notification sent to their phone. If your mobile authenticator app supports biometrics like FaceID on iOS or fingerprint on Android, even better.

Benefits of mobile authenticator apps over SMS OTP:

• Does not rely on your wireless carrier’s reliability or security - the OTP and push notification are tied to your phone, regardless of the phone number
• Many authenticator apps offer mobile OTP for free and can be used for both enterprise and consumer use cases
• Mobile OTP codes expire quickly, offering a better level of security than SMS OTP
• No dependency on location, and in some cases no dependency on internet/data - for example if you are traveling internationally, mobile OTP and push notifications will still work. OTP codes specifically work even if your device does not have cellular service or data.
• Securing push notifications with biometrics offers an increased level of security - even if your phone is stolen, the push notification cannot be accepted by anyone else.

There are many different mobile authenticator apps on the market, some are a better fit for enterprise use cases than others.

Examples of mobile authenticator apps include:

• Okta Verify (supports both OTP and Push with biometrics)
• Authy
• Google Authenticator

Option 2. FIDO2.0 (WebAuthn)

WebAuthn is a browser-based API that allows for web applications to simplify and secure user authentication by using registered devices (phones, laptops, etc) as factors. It uses public key cryptography to protect users from advanced phishing attacks.

In March 2019, the World Wide Web consortium announced WebAuthn as the new web standard for passwordless logins. To learn more about how WebAuthn works, see our post here. Today, WebAuthn is the only factor which is phishing-proof.

WebAuthn factors can be on-device (platform), or off-device (roaming). Here are some details on both:

Off-device/roaming authenticators: These are WebAuthn-supported factors that are not built into the hardware (computer/phone).

• Yubikey 5Ci
• Feitian BioPass
• HID Crescendo smart card

On-device authenticators/platform authenticators: These are WebAuthn-supported factors that are built into the hardware (computer/phone).

• Windows Hello on Windows 10 1903 and later
• Touch ID on MacBook
• Fingerprint on Android 7.0+

Support for WebAuthn is dependent on the web app updating their authentication process to support the WebAuthn API, browser support, OS support, and hardware support. This may seem overwhelming, but thankfully, many operating systems, devices and browsers already support WebAuthn. And, while consumer apps are still in the process of adopting this standard, if you’re using an enterprise-grade authentication provider to secure access for the workforce, it’s likely you’ll be able to use WebAuthn with that provider.

Benefits of WebAuthn over both SMS OTP and mobile authenticator apps:

• A standards-based approach to secure passwordless authentication
• Phishing-proof factor type via a public and private key pair for each WebAuthn factor that a user enrolls with
• Best experience for end users - use of biometrics means swift, seamless logins
• The same biometric you use to login/unlock the device can be used to access apps
• Multiple options for devices & security keys

Examples of browsers, hardware, and operating systems that support WebAuthn:

• Google Chrome on macOS using Touch ID
• Google Chrome on Windows 10 using Windows Hello
• Microsoft Edge on Windows 10 using Windows Hello
• Firefox on Windows 10 using Windows Hello
• Google Chrome on Android 7.0+ using devices with fingerprint support
• Desktop apps on Windows and macOS that use a WebAuthn-compatible browser for login using Windows Hello and Touch ID, respectively
• Native mobile apps that use a WebAuthn-compatible browser (like Chrome) for login on Android 7.0+ using fingerprint support

Please contact Okta Support if you require assistance.