> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta Multifactor Authentication

## Using Okta MFA for Opal logins

For logins, you must do 3 things:

1. Setup Okta as your SAML provider. [For instructions, see here.](/docs/okta-saml-setup)
2. In Okta, configure your Opal SAML app to [require MFA for login](https://help.okta.com/en-us/content/topics/security/mfa/mfa-home.htm).
3. In Opal, ensure that the **Require Opal MFA for logins** setting is off.

<img src="https://mintcdn.com/opalsecurity/E-CmJXh0QNjZUl4g/images/docs/5707446882be420a8db219704595c7f3edc10cd6d5c8c3505a9dab30b8486af2-auth-settings-require-opal-mfa.png?fit=max&auto=format&n=E-CmJXh0QNjZUl4g&q=85&s=bdf3bd497e1997bf36b5f905e3605936" alt="1592" width="2676" height="1453" data-path="images/docs/5707446882be420a8db219704595c7f3edc10cd6d5c8c3505a9dab30b8486af2-auth-settings-require-opal-mfa.png" />

## Using Okta MFA for Opal actions: requesting, approving, connecting \[Legacy]

<Warning>
  * Okta Verify TOTP
  * Okta Verify Push

  If you'd like to use WebAuthn (Yubikey, TouchID) in addition to Okta Verify, follow the instructions to use an OIDC Provider: [https://docs.opal.dev/docs/oidc-provider-setup-for-opal-actions](/docs/oidc-provider-setup-for-opal-actions)
</Warning>

First, go to the resource(s) you want to require MFA for and click "Edit." Then, in the left pane, toggle on the desired setting:

* **MFA to approve requests** requires reviewers to have completed an MFA in the past 5 minutes prior to approving a request.
* **MFA to connect** (applies to select resource types) requires the user to have completed an MFA in the past 5 minutes prior to connecting to a resource.

<img src="https://mintcdn.com/opalsecurity/odnvD_MsXBxTor9u/images/docs/7adff71-mfa-settings.png?fit=max&auto=format&n=odnvD_MsXBxTor9u&q=85&s=9a66214c4abbb0c0754c092b16ee09b1" alt="884" width="2958" height="1658" data-path="images/docs/7adff71-mfa-settings.png" />

Then, in your organization's settings, configure the following setting in the **Authentication** section:

<img src="https://mintcdn.com/opalsecurity/CCjTTkaW-43B4efd/images/docs/ffc27f6d1eb2bb9a0d0698853e657ea99f958c5bd3159539bbfa8823293bfbaf-auth-settings-mfa-gated-admins.png?fit=max&auto=format&n=CCjTTkaW-43B4efd&q=85&s=fce3db6ddf607e6fea8b8220bc2f74a9" alt="960" width="2676" height="1453" data-path="images/docs/ffc27f6d1eb2bb9a0d0698853e657ea99f958c5bd3159539bbfa8823293bfbaf-auth-settings-mfa-gated-admins.png" />

### Requirements for Okta Verify Push

When a push notification is sent to the Okta Verify app, the location associated with the user agent is included to prevent phishing. Here is an example:

<img src="https://mintcdn.com/opalsecurity/odnvD_MsXBxTor9u/images/docs/82fc536-214995159-4eb5f510-29d3-455f-812b-0322c5abd312.png?fit=max&auto=format&n=odnvD_MsXBxTor9u&q=85&s=20f4add30b13dc85d89299f332593b84" alt="" style={{width:"40%", margin: "0 auto"}} width="750" height="1334" data-path="images/docs/82fc536-214995159-4eb5f510-29d3-455f-812b-0322c5abd312.png" />

Opal's [IP ranges](/docs/ip-ranges) must be added to the allowlist in your org's network security settings as a trusted proxy to forward the user agent's original IP address with the `X-Forwarded-For` HTTP header.

Note: If running Opal self-hosted, please use the public IP ranges for your infrastructure.

Navigate to the **Configuration** section in Okta:

* Under **Security**, click **Networks**.
* Edit the allowlist IP zone.
* Add the IP ranges under **Trusted proxy IPs**, like so:

<img src="https://mintcdn.com/opalsecurity/lwwIeFbsleftxaXx/images/docs/c76e769-Screen_Shot_2023-02-06_at_6.00.24_PM.png?fit=max&auto=format&n=lwwIeFbsleftxaXx&q=85&s=b2b6172b621f8f3f163cf8750144aafc" alt="1718" width="1718" height="1578" data-path="images/docs/c76e769-Screen_Shot_2023-02-06_at_6.00.24_PM.png" />

***