RobertG.12413 (Manufacturing Company) asked a question.
Hi Okta Community. I'm looking for real-world ghuidance on service account setup for API Token creation under OIE.
My challenge is 1) Service accounts can authenticate to Okta with single-factor through global session policies, 2) ADMIN console access requires MFA (cannot be bypassed via authentication policies), 3) API token creation requires admin console access, and 4) We do not want the token tied to a single employee in case they leave etc.
Right now, we can create a service account to login to Okta fine, but clicking "ADMIN" triggers the MFA requirement. We don't want that tied to any individual.
My question(s) are:
- How do you handle service account MFA in practice (shared email, hardware token, something else?)
- What is your process when the person who set up MFA leave the organization
- Any creative solutions for organizational MFA that multiple team members can access?
Ultimately we're trying to follow security best practices while avoiding single points of failure. What approaches have worked for your organizations?
One approach you could take is use FIDO2 as your authenticator for the service account and then set it up with a passkey which is saved to a shared vault like 1password, lastpass, etc. Then only grant access to that team that needs it. Or even better put it behind a PAM solution (thats going to the extreme level)