Manual Chapter : How Okta MFA works with APM

Applies To:

Show Versions Show Versions


  • 16.0.1, 16.0.0
Manual Chapter

How Okta MFA works with APM

End-users can register a new device during the MFA enrollment. The first time the user attempts access (and is not yet enrolled), the system presents a list of factors available for enrollment. Push and TOTP variations of Okta Verify are displayed as a single factor. The user can enroll in both Push and TOTP with a QR code, e-mail, or text message; the user can enroll in TOTP only by entering a secret code manually.
When the Push factor is enrolled (or verified), the system polls the Okta server until the user accepts the notification in the Okta Verify app. The time the user has is limited by the
Subroutine Timeout
in per-request policies. Successful enrollment allows the access policy to continue execution past the Okta MFA agent; there is no additional factor verification right after enrollment.
For the Yubico OTP factor, the administrator has to first register the Yubikey in the Okta org account. To enroll in the Yubico OTP factor, the user must use the Yubikey device to generate the passcode.
When the user is enrolled in more than one factor, a factor list is displayed so the user can select and verify one of them.
If a user enters an incorrect OTP code three times in a row, Okta locks the user out and the agent follows the fallback branch.