Okta Authenticators
About MFA authenticators
The goal of a good multifactor authentication (MFA) strategy is to provide a certain level of assurance. This is the degree of confidence that the user attempting to sign in is who they say they are. Authenticators provide different levels of assurance depending on their factor type:
Possession: This is something that the user has in their possession, such as a phone, or access to an email account.
Knowledge: This is something that the user knows, such as a password, or the answer to a security question.
Biometric: This is something that the user is. It represents a physical attribute of the user that a device can scan, such as a fingerprint reader or facial scanner. The scan is used to determine that the person attempting to authenticate is the same person who originally set up this type of authentication.
This table shows the relationship between authenticators, factors types, and methods.
Factor type
Knowledge (something you know)
Possession (something you have)
Biometrics/Inherence (something you are)
Authenticator
n/a
Methods
n/a
Okta Verify (TOTP & Push)
Security Key (touch-enabled YubiKey)
Email Magic Link (Future potential use)
SMS (limited use case)
Authenticators also have methods. Each method enrollment satisfies a different set of factor types and method characteristics. For example, some authenticators are bound to a specific device, while others are used to demonstrate the physical presence of the user (instead of a bot, for example). Here’s a table that describes the characteristics of methods:
Method characteristic
Description
Examples
Device-Bound
The device key or secret is stored on the device and can’t be transferred to another device without re-enrolling
All possession authenticators except for Email and Phone
Hardware-Protected
An authenticator that provides hardware protection of secrets or private keys. The device key is stored on a separate device, in the Trusted Platform Module (TPM), in a secure enclave, or on a separate hardware token, such as RSA SecureID. Hardware protection isn't provided by all types of devices.
Okta Verify proof-of-possession key
Phishing-Resistant
An authenticator that cryptographically verifies the login server
WebAuthn, Okta FastPass in Okta Verify
User Presence
The user proves they have control of the authenticator by actively authenticating (interacting with the authenticator, such as touching a YubiKey or entering a one-time password) and demonstrates their physical presence
Every method except an Okta Verify verification signed by a proof-of-possession key
To provide higher levels of assurance, select combinations of authenticators that cover different factor types:
- Select Okta Verify with biometrics enabled to verify the physical person attempting to authenticate
When you add an authenticator, you must also configure it so it will work the way you want in your environment. Each authenticator has unique configuration requirements, and some authenticators are used for specific purposes.
For example, we may configure your school Email, allow a personal phone number, or security question authenticators to be used only for password recovery, or for access to certain apps.
Phishing resistance
Phishing-resistant authentication detects and prevents the disclosure of sensitive authentication data to fake applications or websites. WebAuthn (FIDO 2) and Okta FastPass (a verification option in Okta Verify) are phishing-resistant authenticators that prevent email, SMS, and social media phishing attacks. Phishing-resistant authenticators don’t protect against attacks where the computer or network is already compromised.
Rev# 10-13-23