Okta Privileged Access (OPA) has had the option to turn on Multifactor Authentication (MFA) for server access policy for some time. This has now been extended to cover secret access policy.
If you have worked with OPA Policy Rules for Secrets you will be familiar with the following that shows the permissions that can be set for folder and secret access.
Below this is the familiar option to apply an Access Request flow to the rule (Approval requests). A new option has been added for Multifactor authentication.
Enabling MFA expands the dialog to show the MFA options.
These are the same as applied to server access rules. It will leverage the Authenticators defined in Okta (example below)
The assurance level dictates whether any two factor types will do (e.g. Possession + Knowledge or Possession + Biometric) or whether a Phishing resistant authenticator is required (e.g. Okta Verify or FIDO2 (WebAuthn)).
The reauthentication frequency is how often the user is prompted for MFA, either on every action or only after a specified duration from the last authentication. Note that if you have a folder hierarchy, the every guarded action option will mean that every folder traversal and secret access will prompt for MFA which may not be a desired user experience. If this is the case, it may be better to have more secret access rules, with MFA only being applied in high risk scenarios (or set a duration).
Once applied, MFA will be shown as a Conditional against the policy rule.
That’s it. It’s the same as for server access policies and has the same user experience.
It will allow administrators to apply MFA based on risk, alongside the approval requests control.
IAMSE