Phishing-Resistant MFA for Zero Trust Security
Configure multiple authenticator factors and create adaptive authentication policies that enforce phishing-resistant MFA for privileged administrators while maintaining usability for standard users.
Implement a comprehensive multi-factor authentication strategy by configuring multiple authenticator types across different factor categories, then create targeted authentication policies that enforce stronger security requirements for administrative access based on group membership.
| Component | Purpose |
|---|---|
| Okta Authenticators | Factor enrollment and verification configuration |
| Google Authenticator | TOTP-based possession factor |
| Okta Verify | Push notifications with FastPass phishing resistance |
| FIDO2 (WebAuthn) | Hardware-protected passwordless authentication |
| Authentication Policies | Risk-based access control rules |
Before configuring authenticators, it's important to understand the three factor categories used in modern MFA:
| Factor Type | Description | Examples in Okta |
|---|---|---|
| Knowledge | Something you know | Password |
| Possession | Something you have | Google Authenticator, Okta Verify, Email, FIDO2 key |
| Biometric | Something you are | Okta Verify with biometrics, FIDO2 with fingerprint |
Strong MFA requires factors from two different categories, not just two factors from the same category.
Expand the available possession factors by adding Google Authenticator to your organization's authenticator catalog.
Navigate to Security → Authenticators and click Add authenticator.
Configuration Details: