Table of Contents (Answers Below)
Why are we moving from Duo to Okta Verify?
Okta Verify is included in our Okta subscription; Duo adds an additional cost. In order to reduce expenses for Mines, we are moving the majority of multi-factor authentication (MFA) challenges to Okta Verify.
Does Okta Verify access my data on my phone or cost me anything to use?
The app does not store any work data on your phone, nor does it have access to any of the personal data stored on your phone. It merely serves as a secure means to prove your identify. Also, it does not cost you anything to use.
Will using Okta Verify expose my phone to Colorado Open Records Act (CORA) or Freedom of Information Act (FOIA) requests?
According to the Mines Office of General Council, installing and using an authenticator app like Okta Verify on a personal phone is not sufficient to expose the contents of the phone to CORA or FOIA requests.
Why aren’t all MFA challenges moving to Okta Verify?
Duo will be used for server access on campus because it performs better for that specific use case.
Why are SMS/text messages and phone calls being removed as options for receiving MFA challenges?
Cyberattacks are getting more advanced. Through social engineering, hackers can easily learn a user’s phone number and clone it to another device. Once this happens, the hacker can intercept the SMS text message or phone call and can approve their unauthorized access from there.
The push notifications you’ll receive through the Okta Verify app are significantly more secure.
Is there an alternative to using the Okta Verify app for MFA challenges?
We recommend purchasing a YubiKey as an alternative to receiving push notifications through the Okta Verify app.
You’ll need to keep your YubiKey with you because it’s required to complete MFA challenges. Depending on the YubiKey, you’ll either need to insert it into a USB port on your machine or some models are near field communications (NFC)-enabled and allow you to touch your YubiKey to the device.
I notice there are various models of YubiKey available. Which ones work?
The following models of YubiKey have been tested and verified by IT:
- Yubico - Security Key NFC: available for both USB-A and USB-C ports. The cost for the USB-A version is ~$25 (on Amazon) and ~$29 for the USB-C version; the prices could vary slightly depending on when and where you purchase it. These keys will need to be inserted into a USB port on your laptop when you receive a MFA challenge or if your device supports NFC, you should be able to touch the key to your device at the designated area (will vary by device) to satisfy the MFA challenge.
- Yubico - Security Key 5 NFC (or Security Key 5C NFC): available for both USB-A and USB-C (5C NFC model) ports. The cost of the USB-A version is ~$50 and ~$55 for the USB-C version. These keys will need to be inserted into a USB port on your laptop when you receive a MFA challenge or if your device supports NFC, you should be able to touch the key to your device at the designated area (will vary by device) to satisfy the MFA challenge. These keys are functionally equivalent to the model above, but add support for additional protocols and advanced security workflows (SSH, smart card login, etc.). This additional functionality is not needed for Okta access.
- Other YubiKeys and other vendors of keys can also work; however, Mines IT has not tested them so there are no guarantees. If you want to try another brand/model of key, please make sure it says it supports FIDO2/WebAuthn hardware-based authentication.
If you are having any issues with the Okta Verify app or for any other questions regarding YubiKeys, etc., please contact the IT Service Desk by visiting https://helpcenter.mines.edu or calling 303-278-HELP (4357).
Why can’t I use the Duo fob I have?
If you are accessing a server and receive a Duo challenge, you will be able to use your fob if you have one. However, those Duo fobs are specific to Duo and cannot be repurposed for use with Okta Verify