# MFA with Okta Verify Okta Verify is available as a multi-factor authentication (MFA) option for your StrongDM users. This guide describes how to set up and configure MFA using Okta Verify. ### Prerequisites * StrongDM Administrator account * Administrator access to your organization's Okta Admin Console * Okta Verify installed on a device that you can access and enrolled with your Okta organization ### Set Up Okta Verify The first part of the setup process takes place in the Okta Admin Console. Log in as an administrator of your Okta organization and perform the following steps. 1. Go to **Security** > **API** > **Tokens**. 2. Click the **Create token** button, and then copy the resulting token. 3. Enable your users' location context to be used in MFA prompts. The location of a user is based on the public-facing IP address of their client’s authenticated connection to the StrongDM control plane. In order for your organization's MFA prompts to have the correct location, add the following StrongDM IP addresses to Okta in the **Add IP Zone** > **Trusted proxy IPs** section: {% tabs %} {% tab title="US" %} Primary: `52.14.64.150`\ Secondary: `44.240.242.220` {% endtab %} {% tab title="UK" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* Primary: `18.168.65.99` (London)\ Secondary: `52.30.129.19` (Ireland) {% endtab %} {% tab title="EU" %} *Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.* Primary: `18.199.182.104` (Frankfurt)\ Secondary: `35.181.195.199` (Paris) {% endtab %} {% endtabs %} #### Okta API token roles When you create an Okta API token, you can tie it to a service account in Okta that has the "Organization administrator" role. Optionally, you may also create a custom role for that purpose, with the following minimum permissions: * **Role**: * User * Manage users * Identity and Access Management * View roles, resources, and admin assignments * **Resource set** * Identity and Access management * All Identity and Access management resources * Users * All users Okta Verify setup is now complete. Keep this browser window open in case you need to copy the key when setting up StrongDM in the next section. ### Set Up StrongDM The setup continues in the StrongDM Admin UI. 1. Go to **Settings**, then **Security**, and scroll down to **Multi-factor Authentication**. 2. Click to unlock the fields and allow changes. Then select **Okta** from the dropdown menu. 3. Paste the token value that you copied from the Okta Admin Console into the **Token** field. 4. Fill your organization's Okta URL into the **Organization URL** field. This should be in the format `https://.okta.com/`. 5. Click **Test** to test the MFA settings. This requires the email address of your currently logged-in user to be registered as a user in Okta. You can run a test and reject the login using the Okta Verify app, and run it again and approve it this time, if you want to test both outcomes. 6. Once you are satisfied with your settings, click **Save** to enable Okta Verify MFA. This displays a warning message that users cannot log in without MFA enrollment going forward. {% hint style="warning" %} Ensure that **Test MFA** works correctly before activating MFA or your admin account may become locked out! {% endhint %} ### Log in With Okta Verify Enabled The login process once Okta Verify is enabled includes only one change. After entering the username and password, the login page contains a "Waiting for MFA..." message, which displays until the Okta Verify challenge is accepted on the user's device. The process of logging in to the desktop app or the CLI with Okta Verify enabled is similarly altered. ### Troubleshoot MFA With Okta Verify You may run into issues authenticating your StrongDM account with Okta Verify MFA enabled. The following topics can help you troubleshoot any errors you receive while logging in. #### MFA alongside SSO When you set up an SSO provider to authenticate with StrongDM and also enable MFA in the Admin UI, MFA prompts during logins do not occur. In this scenario, your configured MFA only plays a role to re-authenticate users when the desktop app locks due to inactivity, not during normal login attempts. If using SSO, we recommend setting up MFA through your SSO provider to also trigger MFA prompts during user logins. #### New device setup or reset If you get a new mobile device or have to reset your existing device, you may be unable to log in to your applications using Okta Verify on the new device. If this situation occurs, please contact your organization's Okta administrator to provision your device. {% hint style="warning" %} StrongDM is unable to assist with enrolling individual end-user devices for MFA. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/principals/mfa/mfa-okta.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.