Skip to main content

Okta Verify as a second factor

Community-contributed integration

Okta Verify is not natively supported as an Ory Identities (Kratos) MFA method. This integration wires Okta Verify as an Ory Actions webhook that runs an Okta Factors API check. Reference: ory/integrates/mfa/okta-verify.

Okta Verify is Okta's mobile MFA app, supporting push, TOTP, and FastPass. Use it when Okta is the workforce identity store but Ory is the customer-facing layer.

How it works

You add an Ory Action on login.after with can_interrupt: true:

  1. The user completes primary authentication in Ory.
  2. Your handler calls Okta's Factors API (/api/v1/users/{userId}/factors/{factorId}/verify).
  3. Okta Verify sends a push to the user's mobile device.
  4. Your handler polls Okta for the result.
  5. On SUCCESS you return success. On REJECTED or timeout, you block the sign-in.

For most use cases, native WebAuthn MFA or TOTP is simpler. Okta Verify makes sense primarily when it's already deployed across the workforce.

Notable

  • Requires an Okta SSWS API token scoped to the Okta org.
  • Map each Ory identity to an Okta user, typically through metadata_public.okta_user_id set at enrollment.
  • Push requires the user's mobile device to be online.

Resources

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free