Authentication Transaction Model

Question 1

What does the Authentication API do?

Answer 1

Provide operations to authenticate users, perform MFA enrollment and verification, recover forgotten passwords and unlock accounts

Question 2

What are the two ways that the OKTA Authentication API can be used?

Answer 2

As a standalone API to provide the identity layer on top of your existing application or integrated with the OKTA Sessions API to obtain an Okta sessions cookie and access apps with OKTA.

Question 3

What is the Okta sessions API?

Answer 3

Provides operations to create and manage authentication sessions for users in your Okta organization

Question 4

Who is the Authentication API targeting?

Answer 4

Developers who want to build their own end-to-end login experience to replace the built in Okta login experience.

Question 5

What scenarios does the Authentication API address?

Answer 5

Primary authentication which lets you verify username and password credentials for a user.

MFA authentication which strengthens the security of password-based authentication by requiring additional verification of another factor.

Recovery, which lets users reset their password if they’ve forgotten it or unlock their account if it has been locked out because of too many login attempts

Question 6

How can the behavior of the Okta Authentication API vary?

Answer 6

It can vary depending on the type of your application

Your org’s security policies such as the global session policy, the MFA enrollment policy, or the Password policy

Question 7

How are policies evaluated by Okta for authentication?

Answer 7

Based on the client request context, such as IP address

Question 8

What is the new name for the MFA Enrollment Policy name in Identity Engine?

Answer 8

Authenticator Enrollment Policy

Question 9

What is a public application?

Answer 9

An application that anonymously starts a authentication or recovery transaction without an API toke, such as the OKTA sign widget.

Question 10

What are some characteristics of public applications?

Answer 10

Aggressively rate limited to prevent abuse

Require primary authentication to be successfully completed before releasing any metadata about a user

Question 11

What are trusted applications?

Answer 11

Backend applications that act as authentication broker or login portal for your Okta organization and may start an authentication or recovery transaction with an administrator token.

Question 12

What are some characteristics of trusted applications?

Answer 12

They may implement their own recovery flows and primary authentication process

They may receive additional metadata about the user before primary authentication has successfully completed

May need to override the client request context to forward the originating client context for the user

Question 13

How does every authentication transaction start?

Answer 13

With primary authentication which validates a user’s primary password credential. Password Policy, MFA Policy, and Sign On Policy are evaluated during primary authentication to determine if the user’s password is expired, a Factor should be enrolled, or additional verification is required.

The transaction state of the response depends on the user’s status, group memberships and assigned policies.

Question 14

What are the request parameters for primary authentication?

Answer 14

audience: (deprecated) App ID of the target app the user is signing into

context: Provides context for the authentication transaction

options: Opt-in features for the authentication transaction

password: User’s password credential

token: Token received as part of the activation user request

username: User’s non qualified short-name (e.g. chad.sterling) or unique fully qualified sign-in name (e.g. chad.sterling@okta.com)

Question 15

What opt-in features for the authentication transaction state machine?

Answer 15

multiOptionalFactorEnroll: Transitions transactions back to MFA_ENROLL state after successful Factor enrollment when additional optional factors are available for enrollment.

warnBeforePasswordExpired: Transitions transactions to PASSWORD_WARN state before SUCCESS if the user’s password is about to expire and within their password policy warn period

Question 16

What is a context object?

Answer 16

Allows trusted web applications such as an external portal to pass additional context for the authentication or recovery transaction.

Question 17

How do you override context?

Answer 17

Overriding context such as deviceToken is a highly privileged operation limited to trusted web applications and requires making authentication or recovery requests with a valid administrator API token. If an API token is not provided, the deviceToken will be ignored.

Question 18

What is a deviceToken?

Answer 18

A globally unique ID identifying the user’s client device or user agent.

Question 19

How is the deviceToken used?

Answer 19

You must pass the same deviceToken for a user’s device with every authentication request or per device or per session Sign-On Policy Factor challenges. If the deviceToken is absent or does not match the previous deviceToken, the user is challenged every-time instead of per-device or per-session.

You must always pass the same deviceToken for a user’s device with every authentication request for new device security behavior detection. If the deviceToken is absent or doesn’t match a recent deviceToken for the user, the request is considered to be from a new device.

Question 20

What are some best practices for generating and storing deviceTokens for web applications?

Answer 20

For web apps, Okta recommends that you generate a UUID or GUID for each client and persist the deviceToken using a secure, HTTP-only cookie or HTML5 localStorage scoped to the customer’s domain as the default implementation.

Question 21

What are some best practices for generating and storing deviceTokens for native apps?

Answer 21

For native apps, ask the device operating system for a unique device ID

Question 22

What is the transaction object?

Answer 22

The Authentication API is a stateful API that implements a finite state machine with defined states and transitions. Each initial authentication or recovery request is issued a unique state token that must be passed with each subsequent request until the transaction is complete or cancelled.

Question 23

What does the 401 unauthorized state mean for the authentication transaction object?

Answer 23

401 unauthorized status code is returned for requests with invalid credentials, locked out accounts or access denied by sign-on policy.

Question 24

What does the 429 too many requests state mean for the authentication transaction object?

Answer 24

This is returned when the rate-limit is exceeded.

Question 25

What is primary authentication with public application?

Answer 25

Authenticating a user with username/password credentials via a public application?

Question 26

What happens if we the user's password policy is configured to show lockout failures?

Answer 26

If the user's password policy is configured to show lockout failures, the authentication process completes with LOCKED_OUT status

Question 27

What is primary authentication with trusted application?

Answer 27

Authenticates a user through a trusted application or proxy that overrides the client request context. The public IP address of your trusted application must be allowed as a gateway IP address to forward the user agent's original IP address with the X-Forwarded-For HTTP header The Authorization: SSWS ${api_token} header is optional, in case of a SPA (Single Page app) this header can be omitted.

Question 28

What is primary authentication with activation token?

Answer 28

Authenticates a user through a trusted application or proxy that overrides a client request context.

Question 29

What happens when authenticating with activation tokens if the user was created without credentials?

Answer 29

If the user was created without credentials, the response will trigger the workflow to set the user's password. After the password is configured, depending on the MFA setting, the workflow continues with MFA enrollment or successful authentication.

Question 30

How do you set up primary authentication with device fingerprinting

Answer 30

Include the X-Device-Fingerprint header. This header can be used in the following ways: If the new or unknown device email notification is enabled, an email is sent to the user if the device fingerprint sent in the X-Device_fingerprint header isn't associated with a previously successful user sign in. If you have the security behavior detection feature enabled and you have a new device behavior configured in a policy rule, a new device is detected if he device fingerprint sent in the X-Device_Fingerprint header isn't associated with a previously successful user sign. This feature has been deprecated.

Question 31

How do you specify your device fingerprint in the X-Device-Fingerprint header?

Answer 31

It is highly privileged operation that is limited to trusted web applications and requires making authentication requests with a valid API token. Only send the device fingerprint if the trusted app has a computed fingerprint for the end user's client.

Question 32

How is the X-Device-Fingerprint header different from the device token?

Answer 32

Device-based MFA in the Okta Sign-on policy rules depends on the device token only and not on the X-Device-Fingerprint header.

Question 33

What are best practices for Device fingerprint with web apps?

Answer 33

Okta recommends using a secure HTTP-only cookie with a random/unique value on the customer's domain s the default implementation.

Question 34

What are best practices for Device fingerprint with native apps?

Answer 34

Ask the device operating system for a unique device ID

Question 35

How do you warn a user that their password is about to expire?

Answer 35

set the warnBeforePasswordExpired option to true. Non-expired passwords successfully complete the authentication transaction if this option is omitted or set to false.

Question 36

What is the password expiration warning?

Answer 36

Notifies the user that their password is about to expire and gives them the option to change it.

Question 37

What is SP-initiated step up authentication?

Answer 37

*Early access feature Only supported for SAML-based apps You must enable the custom sign in page before using (only available with Okta Classic) Every step up transaction starts with the user accessing an application. If step-up authentication is required, Okta redirects the user to the custom sign-in page with state token as a request parameter.

Question 38

How does step-up authentication work without Okta session?

Answer 38

Primary authentication has to be completed by using the value of stateToken request parameter passed to custom sign-in page. Global session policy and the related authentication policy are evaluated after successful primary authentication.

Question 39

How does Factor enrollment work for step up authentication with Okta session?

Answer 39

The user is assigned to an MFA Policy that requires enrollment during the sign-in process and must select a Factor to enroll to complete the authentication process.

Question 40

What is IDP initiated step up authentication

Answer 40

*Early access feature Only supports WS-Federation and SAML based apps Passes the application instance ID of the app as "audience" along with the user credentials. (Audience is a deprecated _parameter. )

Question 41

What is the Authorization API endpoint to change a password?

Answer 41

/api/v1/authn/credentials/change_password

Question 42

What information do you need to provide to the change_password enpoint?

Answer 42

Either the existing password and the new password for authentication transactions with either the PASSWORD_EXPIRED or PASSWORD_WARN state.

Question 43

What is the purpose of the PASSWORD_EXPIRED status?

Answer 43

A user must change their expired password for an authentication transaction with this status to successfully complete the transaction

Question 44

What is the purpose of the PASSWORD_WARN status?

Answer 44

A user may opt-out of changing their password when the transaction has this status

Question 45

What are the request parameters for change password?

Answer 45

newPassword: New password for user oldPassword: User's current password that is expired or about to expire revokeSessions: When set to true, revokes all user sessions except for the current session stateToken: state token for the current transaction

Question 46

What is the Authorization API endpoint to enroll, activate, manage, and verify factors?

Answer 46

/api/v1/authn/factors

Question 47

What is the enpoint outside the authorization context to manage factors?

Answer 47

/api/v1/users/:uid/factors/

Question 48

What are the request parameters for enroll Factor?

Answer 48

factorType type of Factor profile profile of a supported factor provider Factor provider stateToken state token for the current transaction

Question 49

What state does the authentication transaction transition to if a Factor requires activation?

Answer 49

MFA_ENROLL_ACTIVATE

Question 50

What does the Enroll Okta Security Question Factor do?

Answer 50

Enrolls a user with the Okta question factor and question profile. The Security Question Factor doesn't require activation and is ACTIVE after enrollment

Question 51

What does the Enroll Okta SMS Factor do?

Answer 51

Enrolls a user with the Okta sms Factor and an SMS profile. A text message with an OTP is sent to the device during enrollment and must be activated by following the `next` link relation to complete the enrollment process.

Question 52

What does the Enroll Okta Call Factor do?

Answer 52

Enrolls a user with the Okta `call` factor and a Call profile. A voice call with an OTP is sent to the device during enrollment and must be activated by following the `next` link relation to complete the enrollment process.

Question 53

What does the Enroll Okta Email Factor do?

Answer 53

Enrolls a user with the Okta email Factor using the user's primary email address. An email message with an OTP is sent to the user during enrollment and must be activated by following the `next` link relation to complete the enrollment process.

Question 54

What does the Enroll Okta Verify TOTP Factor do?

Answer 54

Enrolls a user with the Okta `token:software:totp` Factor. The Factor must be activated after enrollment by following the `next` link relation to complete the enrollment process. This implements the TOTP standard, which is used by apps like Okta Verify and Google Authenticator.

Question 55

What does the Email Okta Verify Push Factor do?

Answer 55

Enrolls a user with the Okta verify `push` Factor. The Factor must be activated on the device by scanning the QR code or visiting the activation link sent via email or sms. Use the published links to embed the QR code or distribute an activation 'email' or 'sms' This also implements the TOTP standard

Question 56

What does the authentication poll request do?

Answer 56

Verifies successful authentication and obtains a session token

Question 57

Who can use the WebAuthN Factor?

Answer 57

Those using the Style the Okta hosted Sig In Widget. If you are using a self-hosted customized sign-in widget, you must first upgrade to widget version 3.4.0 and enable the configuration option.

Question 58

What is the request parameter for Enroll WebAuthn?

Answer 58

stateToken: stateToken for the current transaction

Question 59

What are the response parameters for Enroll WebAuthn?

Answer 59

In the embedded resources object, the `factor._embedded.activation` object contains properties used to guide the client in creating a new WebAuthn credential for use with Okta.

Question 60

What enrollment factor is not supported via the Authentication API?

Answer 60

Enroll custom HOTP Factor

Question 61

What is the API endpoint for the Activate Factor?

Answer 61

/api/v1/authn/factors/${factorId}/lifecycle/activate

Question 62

What are the request parameters for activate TOTP Factor?

Answer 62

factorId: id of Factor returned from enrollment passCode: OTP generated by device stateToken: state token for the current transaction

Question 63

What are the request parameters for Activate SMS Factor?

Answer 63

factorId: id of Factor returned from enrollment passCode: OTP generated by device stateToken: state token for the current transaction

Question 64

What are some characteristics of the Activate Push Factor?

Answer 64

Asynchronous Myst be polled for completion when the factorResult returns a WAITING status Have a short lifetime and TIMEOUT if they are not completed before the expireAt timestamp

Question 65

What are the request parameters for Activate Push Factor?

Answer 65

factorId: id of Factor returned from enrollment stateToken: state token for the current transaction

Question 66

What are the request parameters for Activate u2f Factor?

Answer 66

clientData: base64-encoded client data from U2F javascript call factorId: id of Factor returned from enrollment registrationData: base64-encoded registration data from U2F javascript call stateToken: state token for the current transaction

Question 67

What are the request parameters for Activate WebAuthn request parameters?

Answer 67

attestatiom: base64-encoded attestation from the WebAuthn javascript call clientData: base64-encoded client data from WebAuthn javascript call factorId: id of Factor returned from enrollment stateToken: state token for the current transaction

Question 68

What is the Verify Factor?

Answer 68

Verifies an enrolled Factor for an authentication transaction with the MFA_REQUIRED or MFA_CHALLENGE state.

Question 69

What is the endpoint for the Verify Security Question Factor?

Answer 69

/api/v1/authn/factors/$[factorId}/verify

Question 70

What are the request parameters for verify Security Question Factor?

Answer 70

answer: answer to security question factorId: id of factor rememberDevice: user's decision to remember the device stateToken: state token for the current transaction

Question 71

What are the request parameters for verify SMS Factor?

Answer 71

factorId: id of factor passCode: OTP sent to device rememberDevice: user's decision to remember the device stateToken: state token for the current transaction

Question 72

What are the request parameters for verify Call Factor?

Answer 72

factorId: id of factor passCode: OTP sent to device rememberDevice: user's decision to remember the device stateToken: state token for the current transaction

Question 73

What are the request parameters for verify TOTP Factor?

Answer 73

factorId: id of factor passCode: OTP sent to device rememberDevice: user's decision to remember the device stateToken: state token for the current transaction

Question 74

What are the request parameters for verify Push Factor?

Answer 74

autoPush: user's decision to send a push to the device automatically factorId: id of factor rememberDevice: user's decision to remember the device stateToken: state token for the current transaction

Question 75

What are the request parameters for verify U2F Factor?

Answer 75

clientData: Base64 encoded client data from the U2F token factorId id of Factor rememberDevice user's decision to remember the device signatureData base64-encoded signature data from the U2F token stateToken state token for the current transaction

Question 76

What is the endpoint for verify WebAuthn Factor?

Answer 76

/api/v1/authn/factors/${factorIdOrFactorType}/verify

Question 77

What are the request paramaters for verify WebAuthn Factor?

Answer 77

authenticatorData base64-encoded authenticator data from the WebAuthn authenticator clientData base64-encoded client data from the WebAuthn authenticator factorId id of factor factorType factorType of Factor; for WebAuthn, it is webauthn rememberDevice user's decision to remember the device signatureData base64-encoded signature data from the WebAuthn authenticator stateToken state token for the current transaction

Question 78

What are the request parameters for forgot password?

Answer 78

factorType Recovery Factor to use for primary authentication username User's non-qualified short-name (for example: dad.murphy) or unique fully qualified sign-in name (dade.murphy@example.com)

Question 79

How does forgot password with trusted application work?

Answer 79

Allows a trusted application such as an external portal to implement its own primary authentication process and directly obtain a recovery token for a user given just the user's identifier.

Question 80

What are the request parameters for verify SMS recovery Factor?

Answer 80

passCode OTP sent to device stateToken state token for the current recovery transaction