We have several mobile devices connected via wifi that has an application which authenticates through okta. In it, we have implemented a policy where we can bypass MFA if the internet provider’s ip range is whitelisted. This bypass MFA is an absolute requirement.
However, we have been experimenting integrating starlink which doesn’t really have static ip range. Is there a secure way to make it so that the desired physical devices can bypass mfa, but everything else cannot?
Would appreciate it if someone can point me in the right direction.
You can keep the Starlink devices from being prompted for MFA without opening things up to everyone by tying the bypass to trusted devices (not just IPs). Common approaches are: enroll those physical devices into your MDM and use Okta Device Trust (so policies can check device posture), or terminate device traffic through a small VPN/NAT gateway that gives those devices a stable outbound IP range. Another pattern is to put the specific users/devices in a dedicated Okta group and create an authentication policy rule that allows reduced MFA for that group only when Device Trust (or a specific network zone) is present plus strict logging and short TTLs. For ideas others have discussed, see this similar thread: https://devforum.okta.com/t/how-to-bypass-mfa-code/23976.