> For the complete documentation index, see [llms.txt](https://docs.strongdm.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.strongdm.com/admin/principals/mfa/mfa-okta.md).

# MFA with Okta Verify

Okta Verify is available as a multi-factor authentication (MFA) option for your StrongDM users. This guide describes how to set up and configure MFA using Okta Verify.

## Prerequisites

* StrongDM Administrator account
* Administrator access to your organization's Okta Admin Console
* Okta Verify installed on a device that you can access and enrolled with your Okta organization

## Set Up Okta Verify

StrongDM supports two methods for configuring Okta Verify MFA:

* Client credentials (recommended): This method uses an OAuth 2.0 service app and public/private key pair. It is more secure and aligns with Okta best practices.
* API token: This method uses a static API token. Note that this method remains supported for existing configurations but is less secure and not recommended for new setups.

{% hint style="info" %}
StrongDM recommends using client credentials for all new Okta Verify MFA configurations.

Use API tokens only if you have an existing integration that cannot be migrated.
{% endhint %}

### Configure Okta

Before adding Okta MFA in StrongDM, configure your Okta application. Either create a service app with client credentials, or create an API token.

#### Create a service app (client credentials)

If you are using client credentials for authentication (recommended), follow these general steps to create and configure an OAuth 2.0 service app in Okta.

1. In Okta, create a **Service App**.
2. Generate or upload a **public key** for the application.
3. Assign the required API scopes for MFA operations (for example, permissions needed to trigger Okta Verify push challenges). The required scopes are as follows:
   1. `okta.users.read`
   2. `okta.users.manage`
   3. `okta.factors.read`
   4. `okta.factors.manage`
4. Copy the **Client ID**.
5. Use the corresponding **private key** when configuring StrongDM.

{% hint style="info" %}
Note that the Key ID (kid) field is optional but recommended, as it’s required if you want to rotate the client credential private key.
{% endhint %}

{% hint style="info" %}
StrongDM does not validate scopes automatically. Ensure that the service app has the correct permissions in Okta.
{% endhint %}

#### Create an API token (legacy)

If you are using API token authentication:

1. In Okta, generate an **API token**.
2. Copy the token for use in StrongDM.

{% hint style="info" %}
API tokens are supported for backward compatibility, but we recommend using client credentials instead.
{% endhint %}

### Configure Okta Verify MFA in StrongDM

After you have configured your Okta application, you can set up Okta Verify in StrongDM.

1. Navigate to **Settings > MFA** in the Admin UI.
2. Select **Okta**.
3. Under **Authentication Mode**, choose one of the following:
   * **Client Credentials** (default)
   * **API Token**
4. If **Client Credentials** is selected, set the following:
   1. **Organization URL:** Your Okta organization URL (for example, `https://example.okta.com`)
   2. **Client ID:** The client ID from your Okta OAuth service app
   3. **Key ID (kid):** Identifies different public keys configured in the Okta app
   4. **Private Key:** Paste the PEM-formatted private key associated with the public key configured in Okta
   5. **User Lookup:** Configure how StrongDM looks up users in Okta
   6. **Multi-Device Push** (optional): Enable if users may have multiple Okta Verify devices
5. If **API Token** is selected, set the following. Also note that no additional configuration is required in Okta beyond generating an API token.
   1. **Organization URL:** Your Okta organization URL (for example, `https://example.okta.com`)
   2. **API Token:** The API token generated in Okta
   3. **User Lookup:** Configure how StrongDM looks up users in Okta
   4. **Multi-Device Push** (optional): Enable if users may have multiple Okta Verify devices
6. Click **Test MFA** to verify the configuration.
7. Click **Save**.

{% hint style="warning" %}
Ensure that **Test MFA** works correctly before activating MFA or your admin account may become locked out!
{% endhint %}

{% hint style="info" %}
API tokens remain supported for existing configurations, but we recommend migrating to client credentials when possible.
{% endhint %}

### Rotate Keys

To rotate credentials, follow these general steps.

1. Generate a new key pair in Okta.
2. Update the **Private Key** in StrongDM.
3. If you are rotating a client credential key pair, also update the **Key ID (kid)** to match the new key.
4. Click **Test** and **Save**.

### Programmatic Configuration

You can configure Okta MFA using the following:

* `sdm admin mfa` commands (CLI)
* StrongDM SDKs

Refer to the CLI or SDK documentation for details.

## Log in With Okta Verify Enabled

After MFA is enabled, the login flow includes one additional step:

* After entering your username and password, the login page displays `"Waiting for MFA..."`.
* This message remains until the Okta Verify push notification is approved on the user’s device.

This behavior also applies to the StrongDM desktop app and CLI.

## Troubleshoot Okta Verify MFA

If you experience issues logging in with Okta Verify, review the following:

### **MFA with SSO**

If you configure both **SSO** and **MFA** in StrongDM:

* MFA prompts do not appear during login.
* MFA is only used when re-authenticating (for example, after the desktop app locks due to inactivity).

To enforce MFA during login, configure MFA through your SSO provider instead.

### **New or Reset Devices**

If a user sets up a new device or resets an existing one, Okta Verify may no longer work.

If this happens, contact your organization’s Okta administrator to re-enroll the device.

{% hint style="warning" %}
StrongDM is unable to assist with enrolling individual end-user devices for MFA.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/principals/mfa/mfa-okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.