Hello, Can applications use Okta as just a MFA provider? In this scenario, users would be authenticated within the application and will be using Okta only for MFA verification. Does Okta allow this kind of setup?
Thanks!
You can use the API to create/verify MFA tokens (against a user directory you also have to manage using the API). These seems more of a “yes, it will technically work” than a “you will be happy with the experience” kind of thing in my opinion.
If you use the API for everything and hide a lot of the Okta benefits, it’s possible. But I wouldn’t recommend it.
However, it does work great as an ad-hoc or transactional MFA provider if you also are using it for primary authenticaiton.
Thanks for the response! Few follow-up questions:
- With this API approach for MFA verification, should users’ credentials be maintained in Okta tenant?
- Alternatively, could we use Okta Java SDK for authenticating user from within the application without redirecting to Okta? Is this recommended?
- If no, what is the general use case for Okta SDK, only user management?
Thanks!
I’ll go completely “off script” here in my responses:
- No you don’t technically need to store users’ credentials in Okta. You will need to store a username (and a password comes with that naturally) but you don’t have to authenticate the user in order to use the API to perform MFA authentication. (So you could create users with really long random passwords with no access to anything). But then you have to manage/sync the identity between your application and Okta in some fashion.
2/3 - Not my expertise; can’t render an informed opinion.