Alternative to Okta push factor on mobile

[sandypatel1986]

Hi Brendan,

We have a situation wherein some of contractors who are working for us via Remote desktop gateway have a personal mobile and they don't want to install Okta verify on their mobile devices. Is there any alternative way to Okta verify mobile app ? Any other Okta tool which can be installed on windows machine and can accept push notifications ?

Although you have already mentioned that "This program only supports the Okta Push verification method. A user must already be setup/enrolled with a push factor" still your reply will be greatly appreciated.

[bdalpe]

Hi @sandypatel1986,

Yes, you are correct that the program only supports Okta Push MFA. This is implemented in the get_user_push_factor method. It is a design decision due to a limitation of how RDG supports RADIUS.

While Okta does support additional verification methods through their API, these methods are not compatible with the Remote Desktop Gateway because the RDG is unable to display a prompt to a user to collect the challenge response.

Microsoft's own documentation regarding Entra for NPS and RDG even states this:

The sign-in behavior for Remote Desktop Gateway doesn't provide the option to enter a verification code with Microsoft Entra multifactor authentication. A user account must be configured for phone verification or the Microsoft Authenticator App with Approve/Deny push notifications.

If neither phone verification or the Microsoft Authenticator App with Approve/Deny push notifications is configured for a user, the user won't be able to complete the Microsoft Entra multifactor authentication challenge and sign in to Remote Desktop Gateway.

The SMS text method doesn't work with Remote Desktop Gateway because it doesn't provide the option to enter a verification code.

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-rdg#configure-accounts-for-two-step-verification

When I originally developed this application, the only supported Okta Verify platforms were iOS and Android. Okta has now added support for Windows and MacOS in Okta Verify which may be referred to as "FastPass". If your organization can allow your contractors to install the Okta Verify software on their machines, it may be possible to send a push notification to the computer. I have not had a chance to verify if this is possible via the API, but my initial research leads me to believe that Okta Verify for Windows and MacOS would look the same as an iOS or Android device.

Currently the code picks the first verify device enrolled for the verification prompt, so your contractors would be able to enroll their computer with the agent installed. If the computer is the only device, then no changes should be needed in this project as the same API endpoint will be called with the computer as the target instead.

If the user has multiple devices enrolled in Okta Verify, it may be possible to expand this project to support multiple verification requests at a single time for a user. Okta Help docs say this is possible. (Okta Verify Supports Multiple Devices at the Same Time / Okta Verify - Expected Behavior with Multiple Devices Enrolled).

@sandypatel1986 can you try the Windows agent and report back if you have success?

[sandypatel1986]

Brendan, Thank you very much for the detailed explanation. Let me try Okta Verify for windows and get back here with my findings.

[sandypatel1986]

I took one test user, removed his account from okta verify android app. Now he does not have any push factor enrolled. Then I downloaded Okta verify for windows and configured his account over there. I can see in Okta login that there is one method enrolled. Now I am trying to login to RDG but the script throws error saying "Received authentication prompt for user followed by User does not have an Okta push factor enrolled.

What I have read for Okta verify for windows is that it is designed to work with Okta fastpass. Okta fastpass provides password less authentication for okta managed apps (app which have been integrated from Okta app catalogue). In our case, we are not using any okta managed app instead we are sending API calls. Is this the reason it fails ?

[bdalpe]

@sandypatel1986 can you share a screenshot of the configured factors for the user? Have the user go to https://subdomain.okta.com/enduser/settings. It is in the "Extra Verification" section at the bottom right corner of the page.

Even better would be an output from the Okta API of the user's factors:

curl -i -X GET 'https://subdomain.okta.com/api/v1/users?search=profile%2EsamAccountName%20eq%20%22{username}%22' -H 'Authorization: YOUR_API_KEY_HERE'
curl -i -X GET 'https://subdomain.okta.com/api/v1/users/{userId}/factors' -H 'Authorization: YOUR_API_KEY_HERE'

The search query parameter value in the first curl command is URL encoded. You can view and update the original here.

Please sanitize any sensitive values or send me a direct message. Thanks!

[sandypatel1986]

I shared the details over gmail id Brendan.

[bdalpe]

Thanks for the info @sandypatel1986.

Summarizing here: 1) User shows there is a device registered in the Security Methods in the Okta Verify section. 2) This app receives a request, but outputs a warning <user> does not have any Okta push factor enrolled!

In this app, we are looking for factorType == push, however FastPass uses a different factorType of signed_nonce. See the Okta API Factor type object description.

Based on this, I'm assuming that it's a challenge-response type of authentication which won't be supported by this app because it is not possible to verify the challenge. At this point, I don't think that FastPass will work for your use case.

[sandypatel1986]

Thanks Brendan for the clarification.