Multi-Factor Authentication - Okta Verify
Last modified on June 21, 2024
This feature is currently in closed-access beta. Functionality and documentation may change. Contact StrongDM for more information.
Okta Verify is available as a multi-factor authentication (MFA) option for your StrongDM users. This guide describes how to set up and configure MFA using Okta Verify.
Prerequisites
- StrongDM Administrator account
- Administrator access to your organization’s Okta Admin Console
- Okta Verify installed on a device that you can access and enrolled with your Okta organization
- Your Okta organization should be updated to use Okta Identity Engine. All new Okta accounts since March 1, 2022 use Identity Engine by default.
Set Up Okta Verify
The first part of the setup process takes place in the Okta Admin Console. Log in as an administrator of your Okta organization and perform the following steps.
- Go to Security > API > Tokens.
- Click the Create token button, and then copy the resulting token.
- Enable your users’ location context to be used in MFA prompts. The location of a user is based on the public-facing IP address of their client’s authenticated connection to the StrongDM control plane. In order for your organization’s MFA prompts to have the correct location, add the following StrongDM IP addresses to Okta in the Add IP Zone > Trusted proxy IPs section:
52.14.64.15044.240.242.220
Okta Verify setup is now complete. Keep this browser window open in case you need to copy the key when setting up StrongDM in the next section.
Set Up StrongDM
The setup continues in the StrongDM Admin UI.
Go to Settings, then Security, and scroll down to Multi-factor Authentication.
Click to unlock the fields and allow changes. Then select Okta from the dropdown menu.
Paste the token value that you copied from the Okta Admin Console into the Token field.
Fill your organization’s Okta URL into the Organization URL field. This should be in the format
https://<ORGANIZATION_NAME>.okta.com/.Click Test to test the MFA settings. This requires the email address of your currently logged-in user to be registered as a user in Okta. You can run a test and reject the login using the Okta Verify app, and run it again and approve it this time, if you want to test both outcomes.
Once you are satisfied with your settings, click Save to enable Okta Verify MFA. This displays a warning message that users cannot log in without MFA enrollment going forward.
Ensure that Test MFA works correctly before activating MFA or your admin account may become locked out!
Log in With Okta Verify Enabled
The login process once Okta Verify is enabled includes only one change. After entering the username and password, the login page contains a “Waiting for MFA…” message, which displays until the Okta Verify challenge is accepted on the user’s device. The process of logging in to the desktop app or the CLI with Okta Verify enabled is similarly altered.
Troubleshoot MFA With Okta Verify
You may run into issues authenticating your StrongDM account with Okta Verify MFA enabled. The following topics can help you troubleshoot any errors you receive while logging in.
MFA alongside SSO
When you set up an SSO provider to authenticate with StrongDM and also enable MFA in the Admin UI, MFA prompts during logins do not occur. In this scenario, your configured MFA only plays a role to re-authenticate users when the desktop app locks due to inactivity, not during normal login attempts.
If using SSO, we recommend setting up MFA through your SSO provider to also trigger MFA prompts during user logins.
New device setup or reset
If you get a new mobile device or have to reset your existing device, you may be unable to log in to your applications using Okta Verify on the new device. If this situation occurs, please contact your organization’s Okta administrator to provision your device.