User16370330549592969269 (Customer Support Online Experience) asked a question.
Join us for an online interactive Ask Me Anything (AMA) with Okta product experts as we discuss the recent enforcement of MFA for Admin Console access. Starting August 2024, single-factor access to the Admin Console will no longer be supported. We’re here to answer your questions, explain the rationale behind this policy change, share tips and best practices, and help you smoothly adjust to this new security policy.
Why this matters?
MFA is a simple and reliable way to enhance security for application access. By enforcing MFA for all Okta tenants, Okta is making a significant step toward protecting your organization’s sensitive information.
We understand that certain use cases may be affected, such as break-glass accounts and shared admin accounts that rely on single-factor access. This AMA will help you understand the impact and ensure you're fully prepared to adopt this change with minimal disruption.
What can I expect to learn?
Learn why MFA is now required for all Admin Console access and address any concerns about its impact on your organization. Discover how to implement MFA without disrupting key processes and explore best practices for common scenarios, such as admins federating from external identity providers, managing test automations and RPA account logins, and handling break-glass access and shared privileged accounts.
How will it work?
Ask questions from today to Tuesday, September 3, 2024. Please use the Answer button below to ask your questions.
Come back on Wednesday, September 4, 2024, from 9 a.m. to 11 a.m. PST to join the online session as our Okta Product experts answer your questions.
Want to learn more details about this AMA session? Check out this blog article -> https://support.okta.com/help/s/blog/a674z000000147lAAA/join-our-ama-oktas-new-mfa-requirement-for-admin-console-access?language=en_US
Thanks for the heads-up!
I'm an administrator of an organization, and I set up MFA in the organization, but I deleted the MFA setting for my personal account, causing me to loop through the login page now.
Hi @User16326502378054365857 (Customer) , Thank you for reaching out to the Okta Community!
Please email us at community@okta.com with your account details and we'll see what can be done to help you regain access.
Regards.
--
Ask Us Anything thru 9/3 Okta’s New MFA Requirement for Admin Console Access
I've read on Azure forums that it may be necessary to set Okta up as an "External Authentication Method" for the MFA to apply to the coming policy, but it isn't clear how this interoperates, if at all, in a federated scenario. Any guidance from your perspective would be helpful.
Hi @00udyf5uyFAvvmErs351.5537171935020974E12 (Customer) ,
Thanks for your question. In a federated scenario, you should follow the existing guidance for configuring Okta MFA to satisfy Microsoft's MFA requirements. External Authentication Methods (EAM) are for organizations that are NOT federated with Okta.
Hi,
We do have some read-only service accounts that are being used for some automations, but these accounts are not used to login via UI.
Are these accounts still going to be impacted by the MFA enforcement?
Do we know how this will be implemented by Okta? will there be a new policy that will be added, enforcing MFA? is there a UserAgent that will be used as condition? or "browser == unknown" or something similar?
Hello @DanS.78840 (Customer)
Thank you for reaching out. The MFA enforcement to access the admin console is implemented by updating the Admin Console Policy to only allow "Any 2 factors" or "password+another factor" as authentication options in Okta Identity Engine.
In Okta Classic, the sign-on policy for the admin app enables the "Prompt for factor" option. With this change, there will be no option to use a single factor to access the admin console.
As far as the read-only service account goes, if it is performing admin operations via API calls using an SSWS token or an OAuth Token for authorization, there should be no impact.
I am already storing my admin password in a vault. Why do I need an MFA on top of this?
Hello @AlejandraG.37830 (Customer Support Online Experience)
Thank you for your question
While it is a good thing that the admin password is secured in a vault, access to a highly privileged resource such as the Okta Admin Console with a single factor is not advised. Okta mandates that a second factor be used along with the password for better security. Okta recommends using a phishing resistant factor such as a Fido2 (WebAuthN) Authenticator or Okta FastPass, if possible as the second factor.
My admins have already completed MFA at an external identity provider such as Azure AD/Duo/PingFederate before they access the Okta admin console. Why should they do MFA again at Okta?