Manual Chapter : Enrolling Factors and Signing in with Okta MFA

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9
Manual Chapter

Enrolling Factors and Signing in with Okta MFA

End-users can register a new device during the MFA enrollment after login with primary authentication. Subsequent logins go straight to the option(s) configured where the user is authenticated by Okta MFA using Push, TOTP, or Yubikey. When the user enrolls with more than one factor, a drop-down list displays all the factors available for selection. When the user enters a wrong OTP code, the agent follows the fallback branch. Depending on the
Lock out
settings in the Okta console, Okta locks the user out after unsuccessful attempts.
The first time you attempt to access (and are not yet enrolled), the system presents a list of available factors. You can select only one factor here but can set up an additional factor after successfully enrolling the first one.
Okta Verify
: Allows you to scan QR code and add an account or enroll your device using additional factors without scanning QR code. Push and TOTP variations of Okta Verify are displayed as a single factor. You can enroll in Push a TOTP with a QR code, e-mail, or SMS. You can enroll in TOTP by scanning a QR code or by entering a secret code in the Okta Verify app and then activating the factor by providing a one-time password.
When the Push factor is enrolled, the system polls the Okta server until you accept the push notification in the Okta Verify app. The
Subroutine Timeout
in per-request policies limits the time you have to accept the push notification.
: Allows you to use YubiKey to deliver a unique password each time it is activated. To specify YubiKey for authentication, administrators upload the YubiKey Configuration file generated through the YubiKey Personalization Tool. For details, refer to the Create a YubiKey Configuration File section on the Okta website.