JordanJ.26599 (Customer) asked a question.
Hello,
My organization is adopting Okta MFA and we are struggling with how to secure MFA enrollment. As of current, the only "trusted" factor enrollment supported by Okta is email MFA. "Trusted" factor is any factor type that is predefined as part of that user's identity. With our old IdP, telephone number, mobile number, and email AD attributes are imported into the IdP and available for OTP code delivery. This was acceptable as all of these factors were pre-defined and could not be updated by the user. With Okta, the only pre-defined factor is email which does not help us for users who do not have access to their email to retrieve the OTP. These users need the ability to obtain a code outside of email. It's my understanding with Okta that there is NO way to pre-define/import the telephone and mobile phone number for use with MFA.
So if a new user's account has been compromised before they have configured Okta MFA, a malicious actor could setup those factors (SMS/voice/Okta Verify) on their own device and now has 2FA access on our network. What are other organizations doing about this? Just accepting the risk?
You are not able to pre-populate phone number for SMS/voice call MFA as the phone number on the profile isn't actually what Okta looks at during challenge.
One option you have is to create a Network zone specific to your Corporate Network and only allow users to enroll when on Network with a Factor enrollment policy. This would mitigate the potential for a bad actor to authenticate and register for MFA while off network. While not 100% this will reduce your attack surface from anyone off network.
Joe
Thanks for the response Joe. We created a script using a few API calls to pre-enroll SMS factor for users. We aren't sure we are going to deploy this method since there are several nuances but we did confirm it does work. This is certainly not an out-of-the-box setup and I wish Okta had a way to do this without lengthy scripting and API usage.
The use case we are trying to solve for is for a remote/virtually onboarded user who would not be on our corporate network. They must have Okta setup before they are able to sign into their computer so we could leverage network zones to secure that type of enrollment. We are considering a separate MFA enrollment policy targeting virtual new-hires which opens up a window in which these users can enroll in Okta Verify/SMS.
I'm mostly just curious how other orgs are securing the MFA enrollment. Obviously only allowing MFA enrollment on your corp network is one way of doing it, but for those allowing MFA enrollment off-net, how is that being done securely?