How Okta MFA works with APM

End-users can register a new device during the MFA enrollment. The first time the user attempts access (and is not yet enrolled), the system presents a list of factors available for enrollment. Push and TOTP variations of Okta Verify are displayed as a single factor. The user can enroll in both Push and TOTP with a QR code, e-mail, or text message; the user can enroll in TOTP only by entering a secret code manually.

When the Push factor is enrolled (or verified), the system polls the Okta server until the user accepts the notification in the Okta Verify app. The time the user has is limited by the

Subroutine Timeout

in per-request policies. Successful enrollment allows the access policy to continue execution past the Okta MFA agent; there is no additional factor verification right after enrollment.

For the Yubico OTP factor, the administrator has to first register the Yubikey in the Okta org account. To enroll in the Yubico OTP factor, the user must use the Yubikey device to generate the passcode.

When the user is enrolled in more than one factor, a factor list is displayed so the user can select and verify one of them.