Enrolling in Okta Verify

Enrollment steps

1. Sign in to Okta by going to this link.
2. Navigate to the Settings section on your Okta account by first clicking on your name in the top right corner, and then select Settings 
3. Then select Edit Profile
4. After that, navigate all the way down to the section marked Extra Verification and click Set up
5. Follow the steps Okta provides to set up Okta Verify on your personal device
6. After that, you are all set! From here out you will be receiving push notifications on your mobile device when Okta deems it necessary to verify your identity

For any questions or trouble with the steps above, check out the FAQ section below

FAQ

Q: Why are we doing this, what was wrong with DUO?

A: DUO has done a great job at serving its purpose for us a Jones IT so far, but we are always looking for ways to improve. The key reasons why we are ditching DUO are the following.

• Lack of true bring your own device support: At first glance, DUO appears to be a terrific tool for implementing a device trust framework. Although DUO has the ability to determine if a device meets our baseline security standards (Disk Encryption, Firewall, Endpoint Security, and so on) to access our organization's sensitive information, this is not the case in practice. Example: DUO only enables scanning for DUO-vetted Endpoint Security providers, resulting in personal devices in a grey area. Because most individuals don't install enterprise security software on their personal computers (for good reason! ), and because DUO only detects whether an Endpoint Security is actively operating on a device, not whether the Endpoint Security is actually performing properly, this data really isn't meaningful.
• Exposure of sensitive personal data that isn't essential to maintain a secure environment: An effective relationship between an organizations security team and its employees is built on a foundation of trust that is demonstrated through informed consent and transparency, this tenet is something that we don't believe DUO can provide us. Not only is the information provided by the DUO inaccurate (see the Endpoint Security example above), but we also don't want to know it in the first place. Our objective is to give employees the freedom to work on whatever device they choose, wherever they want while preserving the data security of our company. We're not in the business of compelling our employees to give up their privacy in order to contribute towards an ineffective security program.
• Roadblock for future projects: DUO requires a connection to the agent installed on the device to provide the metrics necessary for it to make a successful authentication attempt, this is a large hurdle that is seemingly impossible for future projects the SE team has cooked up. Two examples are:
  • Microsoft Intune managed Windows devices for our employees.
  • Passwordless sign-in to our organization-issued Macs using Kandji Passport.
• Okta's approach to security: Okta's vision for security focuses on concrete data that is proven to be effective while not sacrificing privacy. Okta's approach to security relies on behavioral indicators as well as device trust, these two combined factors allow us to paint a picture that is valuable in seeing who is accessing our data and how while not stepping over any boundaries.

Q: What information does Okta Verify collect on my personal device?

A: Okta collects:

• Device name
• Model
• Manufacturer
• Platform
• UDID (Unique Device Identifier)
• OS version
• Email
• TOTP Secret 
• Encryption Keys
• Errors file logging
• Info and warning file logging
• Diagnostic and crash data
• Pendo collection
• Instabug collection

Take a look at Okta's Privacy Policy as well as their data collection page on the Okta help center for further information.

Q: Does this mean I need to install Okta Verify on all the devices I use to work in order to replace the DUO agent?

A: Nope! The Okta Verify app is only necessary on your personal phone; you will no longer need an agent to access Jones IT's resources on your devices both organization-issued and personal.

Q: How might this change in the future?

A: We are really excited to move forward with Okta Verify, this unleashes a lot of potential for future improvements at Jones IT while making our employees' lives easier. We are hoping to use this change as a stepping stone for us to implement a few goals:

Short term:

• Microsoft Intune managed Windows devices for our employees.
• Passwordless sign-in to our organization-issued Macs using Kandji Passport.
• Enhanced device setup experience for our newly joined employees.

Long term:

• Passwordless sign-in to all of Jones IT's services in Okta.
• Improved bring your own device support leveraging Microsoft Intune and Google Workspace.

If you are still running into problems reach out to the SE team

System Engineers