When attempting to enroll in Okta Verify, users in an Okta Identity Engine (OIE) organization do not see or cannot use the Secret Key or the "manual setup without push notification" option that was previously available in Okta Classic Engine. Instead, users are presented with options such as QR code scanning, email links, SMS links, or a streamlined "Same-Device Enrollment" flow.
- Okta Verify
- Okta Identity Engine (OIE)
- End-users attempting to manually set up Okta Verify accounts
The ability to set up Okta Verify manually with a Secret key is no longer supported for new enrollments in Okta Identity Engine (OIE). This change was implemented primarily for security reasons, alongside efforts to enhance the user experience and align with modern authentication best practices.
- Enhanced Security: Manual entry of secret keys can be more vulnerable to phishing attacks, where an attacker might trick a user into revealing the key. Newer enrollment methods (QR codes, activation links) facilitate a more secure, cryptographically bound enrollment to the specific device, reducing this risk.
- Streamlined User Experience: OIE prioritizes a simpler and faster setup process. QR code scanning and activation links offer a more intuitive and less error-prone experience for most users, reducing friction and the need for help desk assistance.
- Modern Authentication Alignment: Okta Identity Engine is built on an advanced authentication framework that emphasizes phishing-resistant factors and a seamless user journey. Deprecating less secure or more cumbersome enrollment methods aligns with this strategic direction.
For users in an Okta Identity Engine (OIE) organization, alternative and more secure methods are available for Okta Verify enrollment:
- QR Code Scanning: The most common and recommended method, where users scan a QR code displayed on their computer screen with the Okta Verify app on their mobile device.
- Email Activation Link: An activation link is sent to the user's primary email address, which they can click on their mobile device to complete enrollment.
- SMS Activation Link: An activation link sent via SMS to the user's registered phone number.
- Streamlined "Same-Device Enrollment": If enabled in the organization, this feature allows users to initiate and complete Okta Verify and FastPass enrollment directly on the same desktop or mobile device they are currently using, significantly simplifying the process.
NOTE: If the organization is still on Okta Classic Engine, the Secret Key option for manual Okta Verify setup should still be available if other methods are not feasible.
