Environment
University of Michigan, Okta Passwordless and Multi-Factor Authentication, Supported Device OS Versions: iPhone, Android, iPad, MacOS, Windows.
ChromeOS and Linux are not currently supported.
Issue
- What options are available with Okta at U-M for passwordless and multi-factor authentication (MFA)?
- What's the difference between an Okta Token and a Yubikey?
- I'd like to use a different authenticator app.
Resolution
Okta Multi-Factor Authentication Options
All U-M users who are required to use multi-factor authentication must use one of the following methods in order to sign into their account.
Okta Verify Mobile App
The Okta Verify Mobile App is an application you install on your mobile device, allowing you to complete multi-factor authentication. When signing in, it sends you a notification or displays a code for you to confirm your identity, ensuring you are the only one who can access your information.
- Push Notifications: We strongly recommend using the Okta Verify mobile app and choosing Push Notifications because it is the most secure option.
- Okta Verify Code: Entered on the Okta Sign-in page using the "Enter a Code" option, these one-time codes Okta Verify Mobile App can be used if you are traveling and/or do not have access to Wi-Fi or a cellular connection.
Okta FastPass (Passwordless) Using Okta Verify Desktop and Mobile App
Okta FastPass is an optional, secure way to log into your university accounts without needing to type in your password every time. It works through the Okta Verify app on your computer. Instead of entering a password, you can use your computer’s built-in security features—like fingerprint, face recognition, or a PIN. By setting up Okta FastPass on your computer, it can also serve as a backup authentication method should you not have access to your phone with the Okta Verify mobile app. See additional information about Okta FastPass.
Okta Hardware Tokens
A hardware token is a key fob that generates a passcode for you to enter. If you do not have a mobile device that supports the Okta Verify App, then a hardware token is the recommended option for MFA.
- Hardware tokens can be obtained from the ITS Tech Shop online or in person. See additional information about how to obtain and set up an Okta hardware token.
- The university will cover the cost of an initial Okta hardware token for each individual (shipping is not included). Replacement tokens are available at a cost to the individual.
- Individuals who only use a token for MFA will need to obtain a token from the ITS Tech Shop prior to starting the Okta enrollment process at oktaverify.umich.edu. They will receive an on-screen notification once they have successfully completed the Okta enrollment process.
YubiKey - Security Key (WebAuthn/FIDO2)
YubiKey Security Keys are small USB devices that plug into your computer’s USB port (or can be held near your phone if it supports touchless connection). When you tap the key it completes the multi-factor authentication step.
- For most users who wish to use a security key, an Okta hardware token is a better option as it offers more flexibility and is automatically enrolled for you at the time of purchase.
- A YubiKey should only be used as an additional MFA device (the Okta Verify app is the recommended MFA method used in tandem with a YubiKey).
See additional Information about how to obtain and set up a YubiKey - security key.
Other Authenticator Apps and Biometric Authenticators
- To ensure the most reliable login experience, ITS recommends and supports the options above.
- Third-party apps (Microsoft, Google, Authy, etc.) are not supported by ITS.
- Biometric authenticators (Windows Hello, iCloud Keychain, Google Password Manager, etc) are not supported by ITS.
Additional Information
See Change Okta MFA Method to choose a different Okta multi-factor authentication (MFA) method at sign-in if you’ve previously set up more than one.
See Add and Replace Okta MFA Methods to change the MFA methods associated with your UMICH account.
Need additional information or assistance with Okta? Michigan Medicine affiliates, contact HITS. Other U-M affiliates, contact the ITS Service Center.