Application developers and organizations are increasingly implementing multi-factor authentication to add an extra layer of security to their applications.
In all my years working in this industry I've seen exactly 2 effective security technologies stand the test of time: firewalls and 2fa— Chris Rohlf (@chrisrohlf) March 8, 2015
In this guide, we’ll show you how to add multi-factor authentication to your app with the Okta Platform.
The Okta Platform gives you the flexibility to deploy Okta’s built-in factors, or integrate with existing tokens. Native factors include SMS, and the Okta Verify app for iOS and Android. Integrations include Google Authenticator, RSA SecurID, Symantec VIP, and Duo Security.
Let’s get started!
To follow along with this guide, you will need to have your own Okta Developer Edition org and have Postman configured to make API requests to that account.
Below is an introduction to using Okta’s Multi-Factor Authentication (MFA) API to add MFA to an existing application.
In this guide, you will learn the actual HTTPS requests that are involved in adding MFA to your application. How use actually make these calls will depend on the programming language and web framework that your application uses.
If you are writing code in .NET or Java, Okta has helper libraries that will make it easy to add support for Okta to your application in an idiomatic way.
Before you can start writing code, you’ll need to make do a few things in the Admin interface to your Okta org.
You must enable MFA from the Admin interface of your Okta org before you can use it from the Okta API. Here is how to enable MFA for your Okta org:
Requests made to the Okta API are authenticated via an API token. Here is how to create an API token for your Okta org:
If you haven’t set up Postman already, you will need to do that now. Here are instructions for setting up Postman to work with Okta.
Before you get started, you will want to make sure your Postman setup is configured correctly, a “Hello World” of sorts. Test your Postman setup as follows:
You’ll know it is working if you get back JSON containing one or more user objects.
The first step in adding MFA to an existing application is to create a user account in Okta. Among other things, creating a user account in Okta allows you to add MFA to your application without needing to update your user schemas.
For the purposes of this demonstration, we will be creating a random user generated using the Random User Generator website:
Now that you have created a user account in Okta, you are ready to setup MFA for that user account. A key part of enabling MFA for a user is actually verifying that they have a MFA token. In Okta, this process is known as “Enrollment”. Once a MFA token has been enrolled, we can then “Verify” that they actually have this token by asking them to answer a challenge using their token.
The process attaching a factor to a user is similar for every type of factor that Okta supports. In the video we show how to attach a Google Authenticator factor as well as a phone as a factor using SMS. In this document we will only cover how to attach a Google Authenticator factor.
At a high level, the process of attaching a factor to an account is similar for all factors an works as follows:
Once the factor has been enrolled, you can verify it as needed.
Using the User ID that you created earlier, add a Google Authenticator factor to that user as follows:
After adding a factor to an Okta user, the next step is to have the user setup their factor and then prove that they have done that by answering a challenge with their token.
Continuing on from the steps above:
Now that you’ve verified the factor, you are ready to start verifying MFA tokens! Here is how to do that using Postman:
At this point, you should understand how to use the Okta API to add MFA to an existing application. You can learn more about using the Okta MFA API with the following resources.