Require U2F with Okta
Many identity providers, like Okta, support multiple multifactor authentication (MFA) options simultaneously. For example, Okta will allow you to login with your password and a temporary code generated in an app or a U2F hard key like a Yubikey.
Some second factor methods are more resistant to phishing. U2F options require you to have access to a physical device, also known as a hardware key. Without that key, a user cannot impersonate you even if they have your password. You can build rules in Cloudflare Access to require that users authenticate with a hardware key - even if your provider supports multiple options. When users login with a less secure option, like an app-based code, Access will block them.
This tutorial covers how to:
- Integrate Cloudflare Access with Okta
- Configure Okta for U2F enrollment
- Build an that require users login with a hardware key
- Specify that policy to apply to certain Access applications
The first two sections of this tutorial link to guides to set up Cloudflare Access and integrate Okta. If you already use Cloudflare Access with Okta, you can skip ahead to the fourth section.
Time to complete:
Configure Cloudflare Access
Configure Okta for U2F
An Okta administrator in your organization must first in your Okta account and to be prompted for it. This is a global setting; if your account has already configured U2F, you do not need to do anything unique to use it with Cloudflare Access.
Test U2F in Access
You can begin building U2F policies by testing your Okta integration.
Cloudflare Access will prompt you to login with your Okta account. For the purposes of the test, use a second factor option like an app-based code. Okta will return
amr values to Cloudflare Access - these are standard indicators of multifactor methods shared between identity control systems.
mfa value is sent by Okta to tell Cloudflare Access that you used a multifactor authentication option. The
pwd value indicates you used a password. In this example, the
otp value is sent because the user authenticatd with an app-based code.
You can test with a hardkey by logging out of Okta and returning to the list of providers in Access. Select Test again, but this time use your hardware key as a second factor. Cloudflare Access will now see Okta share
hwk in the
Build a Zero Trust policy to require U2F
You can use this information to build a rule in Access. Go to the
Applications list in the Cloudflare Access section of the dashboard. Choose an application that you have already built or create a new one. This example adds the requirement to an existing application.
Select Edit to edit the existing
Require rule and select
Authentication Method from the list. Choose
hwk as the required
Authentication Method. Select Save rule.
Optional: you can also configure Cloudflare Access to only show users Okta for this application if you have multiple other providers integrated. In the
Authentication Tab, choose
Okta as the only option to show users.
Testing the rule
You can now test the rule. Visit the application and attempt to login using an app-based code or method other than a hardware security key. Access will block the attempt.
If you sign out of Okta, and reattempt with a hardware key, Access will then allow the connection.