Okta MFA
Status: Scaffold — content in progress
MFA Factors
| Factor | Type | Phishing Resistance |
|---|---|---|
| Okta Verify Push | Push notification | No (push bombing target) |
| Okta Verify TOTP | Time-based OTP | No (can be phished via real-time proxy) |
| FIDO2 / WebAuthn | Hardware key / passkey | Yes — bound to origin |
| SMS OTP | SMS | Low (SIM swap) |
| Email OTP | Low | |
| Security questions | Knowledge | No |
Push Bombing (MFA Fatigue)
Attacker with valid credentials sends repeated push notifications until the user approves one (fatigue) or accepts accidentally.
Okta-specific mitigations:
- Number matching: user must match a code shown on screen to the one shown in the app
- Additional context: shows location/app in push notification
- FastPass (passwordless): FIDO2-based, phishing-resistant
Cross-Links
| Topic | Link |
|---|---|
| MFA Fatigue Attack | mfa-fatigue |
| Okta Overview | okta-overview |