Okta Options for Passwordless and Multi-Factor Authentication

Environment

University of Michigan, Okta Passwordless and Multi-Factor Authentication, Supported Device OS Versions: iPhone, Android, iPad, MacOS, Windows.

ChromeOS and Linux are not currently supported.

Issue

Describes the options available with Okta at U-M for passwordless and multi-factor authentication (MFA).

Resolution

Okta Multi-Factor Authentication Options

Okta Verify Mobile App

We strongly recommend using the Okta Verify App on a smartphone because it offers multiple secure login-approval methods that work with or without a Wi-Fi or cellular connection.

• Push Notifications: Push notifications in the Okta Verify Mobile App are the recommended option for multi-factor authentication if you are able to use them.
• One-Time Passcode (TOTP): TOTP in the Okta Verify Mobile App are recommended if you are traveling and/or do not have access to Wi-Fi or a cellular connection.

Okta FastPass (Passwordless) Using Okta Verify Desktop and Mobile App

Okta FastPass is optional and should be used in addition to the Okta Verify Mobile App.  Okta FastPass is a phishing-resistant authentication method that uses the Okta Verify application on your computer or mobile device to sign-in. The FastPass feature offers passwordless sign-in, using biometrics such as FaceID, TouchID, and Windows Hello, for a more secure and user-friendly authentication experience. See additional information about Okta FastPass.

Okta Hardware Tokens

A hardware token is a key fob that generates a passcode for you to enter. If you do not have a mobile device that supports the Okta Verify App, then a hardware token is the recommended option for MFA.  

• Hardware tokens can be obtained from the ITS Tech Shop online or in person. See additional information about how to obtain and set up an Okta hardware token.
• The university will cover the cost of an initial Okta hardware token for each individual (shipping is not included). Replacement tokens are available at a cost to the individual. 
• Individuals who only use a token for MFA will need to obtain a token from the ITS Tech Shop prior to starting the Okta enrollment process at oktaverify.umich.edu. They will receive an on-screen notification once they have successfully completed the Okta enrollment process. 

YubiKey - Security Key (WebAuthn/FIDO2)

A security key plugs into a USB port (or connects over NFC) and, when tapped or pressed, completes the Okta authentication. This method is very secure, but it is not the most flexible option.

• Security Keys (including YubiKeys) are supported with Okta, and can be enrolled as a phishing-resistant authentication method. See additional Information about how to obtain and set up a YubiKey / security key.

Additional Information

See Change Okta MFA Method to choose a different Okta multi-factor authentication (MFA) method at sign-in if you’ve previously set up more than one. 

See Add and Replace Okta MFA Methods to change the MFA methods associated with your UMICH account.

As the University of Michigan transitions to Okta for sign-in and multi-factor authentication, we’re here to help with any issues you may encounter. Until February 25, 2026, everyone will continue to use U-M Weblogin and Duo to access U-M Services.

Need help with Okta? Visit our Okta Help page.