Okta Frequently asked questions Do I need Okta Verify on a device in my possession?  Yes, you will need to use Okta Verify regularly as a second factor to verify it is you. It's important to have Okta Verify on a device you have with you when accessing SPPS application, including Microsoft Office 365, and all Google apps. Is Okta Verify a SPPS specific application? Can I use it for personal MFA? Okta can be used on a personal phone as an authentication app for personal accounts. Okta Verify is an authentication application that has been available for personal use for many years. If you install Okta Verify on a personal phone even if you leave SPPS you can still use it to sign in to personal accounts and SPPS cannot see or control those accounts. How Often will I need to sign in and verify? Verification will depend on multiple things. If signing in from school it will be less often. When Okta detects a change in location it will ask you to verify your identity. If you login from a location that is more risky, such as a coffee shop or free public WiFi, it will ask you to verify every time. I am currently using a different authenticator (Google or Microsoft), do I need to switch? Unfortunately Microsoft authenticator does not work with Okta so anyone currently using it will need to switch. Google Authenticator is still being review and not available at this time so users will need to switch to Okta Verify. Can I install Okta Verify on my personal computer? Yes you may install Okta Verify on your personal Mac or PC. For MacBooks the application is available in the Apple App Store free of cost. For PC you can download the latest version from the following link Okta Verify for PC Do I need to have multiple authenticators (MacBook, iPad, phone)? You only need one authenticator to gain access, however, if there are any issues with that device you will not be able to access SPPS resources without assistance from Technology Services. Therefore, we highly recommend having more than one authenticator setup. It is important to have backup options should you should you forget your device at home, or if the battery dies. Think of Okta like your school badge, without it you cannot get in. You will need to have an authenticator anytime you are accessing email and other SPPS applications. I'm trying to add Okta to another device but it's asking to scan a QR code or enter an 8 digit code? If you are adding Okta to a second (or third) device you will need to be at the device you currently have Okta Verify setup on. The directions for adding more devices is here Setup a secondary device in Okta (QR code or 8 digit code) How do biometrics work? When a MacBook, cell phone, iPad, or Windows laptop sets up biometrics it does not send that information anywhere. The scanner creates a mathematical algorithm based on your fingerprint and stores that algorithm in the TPM chip on a Windows device or in your local keychain for Apple devices. Your fingerprint cannot be recreated using the algorithm. If your keychain is broken this will also break the ability to use your fingerprint. This information never leaves the device and is not accessible to SPPS, Apple, or Microsoft. What if I don't want to use Biometrics? Biometrics are by far the most secure way to secure your account and prevent someone else from logging in as you. Passwords can be guessed, social engineered to narrow password options, or brute forced using computers to try endless combinations. Currently some devices will allow a user to skip setting up biometrics but it makes authentication much more difficult requiring a user to enter their password several times. You may request a YubiKey to use for authentication but that comes with certain challenges. The YubiKey would be the best option for those that refuse to use biometrics.  We are looking for other options for users that do not require biometrics. If other options become available we will update this article. Why do we need MFA? Every day our data security team is reseting passwords for users that had their email password compromised. MFA helps protect our accounts from hackers. In the past few years school districts have become a large target for hackers. Over 100 schools have been hacked in the past few years costing each school millions of dollars. The average data breach costs 4.5 million dollars, and a single cyber event can cost a district anywhere from $50,000 to over 10 million. 

1) Open Okta from System tray. 2) Click on your Name 3) Click on Add Account to New Device 4) If you have Fingerprint set up you will get the following prompt.  Touch the finger print reader to continue. 5) From your phone, computer, or iPad open Okta Verify. If you don't have Okta installed follow the directions for installing the app from one of the following guides: https://servicedesk.spps.org/support/solutions/folders/19000101437 6) On the new device select add account >> Organization >>. Add account from another device 7) Scan the QR code with a phone or iPad or enter the 8 digit code on a different computer. 8) The device you are setting up will pop up a pin to enter on this device. 9) Finish setting up on the new device now. If this method is not working sign into Okta.spps.org and click on your name in the upper right, then select "Settings" Under Security Methods > Okta Verify > Select "Set up another" You will need to authenticate then on the next screen you will see an Okta Verify prompt, select "Set up" From this point follow the directions starting at #7

Okta Multi-Factor Authentication (MFA) Okta MFA Enrollment for MacBooks Okta Verify for Mac walkthrough video Please note these directions are to assist in setting up the MacBook as your first device. If you already have a device with Okta installed the directions are similar but you will need your other device with you to get the 8 digit code. Okta Verify Application Configuration On your MacBook navigate to Finder > Applications and click on the Okta Verify to launch the application. If you cannot locate Okta Verify on your computer, please install the application through Self Service. Please note that you will need to sign-in to Self Services to see Okta. Once Okta Verify is installed and running it will show in the upper right corner on the menu bar.    A “Welcome to Okta Verify” screen should open. Click the Get Started button to start the configuration if this is your first device. If you already have a device setup select "Add account from another device" and jump to the section with the same name (after #10) (Note: If you had previously enrolled your current device you should see the SPPS account when you open the app.) On the “New account” screen. Enter “okta.spps.org” if it doesn’t autofill with this information. Then click the Next button to continue.  You will see a screen with information about Touch ID with Okta Verify. It's highly encouraged to setup the Touch ID on your MacBook for quicker and more secure login. The MacBook creates an encrypted math algorithm based on your fingerprint and stores it locally on the device. If you use more than one device you will need to setup your fingerprint on each device. The fingerprint data (or algorithm) is not able to be exported or downloaded.  (If you've already setup the TouchID click the Next button to continue with the setup) Your default browser should open to an Okta sign in page. When prompted enter your email address (firstname.lastname@spps.org). Click the Next button to continue.  (Note: If you have a different device already enrolled Okta will prompt you to verify using that device. If that device is not accessible you will not be able to enroll a new device without it.) Enter your active directory password and click Verify to continue. When you see, allow this page to open Okta Verify, select Allow to continue with the setup. If you already have the Touch ID setup, you will get a prompt to enable Touch ID for your Okta Verify Account. Enable Touch ID to continue with the setup. If you do not have Touch ID setup, you will be prompted to set up the biometric at some point during the process. Here is a walk through guide from Apple for setting up your fingerprint on your MacBook - link to Touch ID guide. When prompted scan your fingerprint to complete the setup. **This configuration allows for the use of Okta FastPass which will allow for quicker and more secure authentication. Adding an Account from Another Device On the “Welcome to Okta Verify” screen select "Add account from another device" You should see the following screen. On your other device open the Okta Verify App and click on the arrow next to your account. This will open a new window where you can select "Add account to new device".   You will be prompted for Touch ID or a password then you should get a QR code with an 8 digit code. Enter the 8 digit code on the new device and press enter. After adding the account it will prompt to setup Touch-ID Post MFA Enrollment Steps On your desktop open a browser and go to okta.spps.org Sign in using your SPPS email firstname.lastname@spps.org and click the Next button to continue. Verify with your active directory password and click the Verify button to login.  You will be prompted for a biometric. After verifying your identity, you will be brought to the Okta dashboard and should see the SPPS MFA Test App.  When you select the SPPS MFA Test App it will launch in your browser. You should see your first and last name, along with your email. This is how easy it will be to open applications using Okta in the future. Technology Services will be working to add Google and Office 365 to Okta to create a quick access dashboard for SPPS applications.    Additional Configuration for Okta Verify We highly encourage configuring and additional device as a backup should you not have your laptop or computer such as your iPad, work phone, or personal phone. On your desktop open a browser and go to Okta.spps.org and if you are not logged in use your firstname.lastname@spps.org email address and active directory password. In the top right corner click on your name to bring up the menu and then select Settings. Select the Setup another button on the Okta Verify line underneath Security Methods to start the additional Okta Verify enrollment steps. This is also where one can add and remove devices should you get a new computer, iPad or phone. You will be prompted to “Use Okta FastPass” or Password. Click Select by “Use Okta FastPass” to make the process quick.  Select Allow to open Okta Verify. You will be prompted to scan your fingerprint just like you were during the desktop application setup. Scan your fingerprint to continue the setup.  At this point follow the Okta MFA Enrollment for iPads and Phones Guide starting at Step 5. You will need to have the Okta Verify app installed on your phone. Okta Verify should be pushed out to all staff iPads, however, if it is not there you can install the app from self-service.

Okta Multi-Factor Authentication (MFA) Okta MFA Enrollment for PCs Okta Verify Application Configuration  On your PC in the search window enter software center and select to open.Alternately, navigate to the Windows Button and on the Application List scroll down to Microsoft Endpoint Manager select the dropdown to find Software Center. In the Software Center Click on the Okta Verify App. Click the Install Button to install the Okta Verify App.  The Okta Verify app should launch, if not open the Okta Verify app from your desktop. You should be greeted with a “Welcome to Okta Verify” screen. Click the Get Started button to start the configuration. Note: If you had already opened Okta Verify on your PC you might get the prompt to add an account rather than the “Get started screen”. Select add account and go to  step 6 The next screen explains how Okta FastPass works. Select Next Enter the sign-in URL https://okta.spps.org then select Next Your default browser will open to sign into Okta. When prompted enter your SPPS.org email address. Click the Next button to continue. On the next screen enter your active directory password and click Verify to continue. At some point you will be prompted to enable Windows Hello. Selecting not at this time will require you to enter your Password for every sign-in.  When you enable Windows Hello make sure to set the pin as something that you can remember over time, or save it to a password management tool of your choice. Windows Hello will require setting up either the fingerprint reader if available, or it will use a facial scan. You must enable one of these options for Okta fastpass to work without entering your password every time. If you choose to not enable one of those options we can assign PC users a YubiKey for authentication. To continue with setup, select Allow when prompted to open Okta Verify.  You should now be done enrolling your computer with the Okta verify application. Close the app and open a browser to sign into your Okta dashboard at okta.spps.org. ­­ Post MFA Enrollment Steps On your desktop open a browser and go to Okta.spps.org Sign in using your SPPS email firstname.lastname@spps.org and click the Next button to continue. Verify with your active directory password and click the Verify button to login. You will be prompted for a biometric. After verifying your identity, you will be brought to the Okta dashboard and should see the SPPS MFA Test App.  When you select the SPPS MFA Test App it will launch in your browser. You should see your first and last name, along with your email. This is how easy it will be to open applications using Okta in the future. Over the summer Technology Services will be working to add Google and Office 365 to Okta to create a quick access dashboard for SPPS applications.    Additional Configuration for Okta Verify We highly encourage configuring and additional device as a backup should you not have your laptop or computer such as your iPad, work phone, or personal phone. On your desktop open a browser and go to Okta.spps.org and if you are not logged in use your firstname.lastname@spps.org email address and active directory password. In the top right corner click on your name to bring up the menu and then select Settings. Select the Setup another button on the Okta Verify line underneath Security Methods to start the additional Okta Verify enrollment steps. This is also where one can add and remove devices should you get a new computer, iPad or phone. You will be prompted to “Use Okta FastPass” or Password. Click Select by “Use Okta FastPass” to make the process quick. Select Allow to open Okta Verify. You will be prompted to scan your fingerprint just like you were during the desktop application setup. Scan your fingerprint to continue the setup. At this point follow the Okta MFA Enrollment for iPads and Phones Guide starting at Step 5. You will need to have the Okta Verify app installed on your phone. Okta Verify should be pushed out to all staff iPads, however, if it is not there you can install the app from self-service. Rev# 10-13-23

Okta Multi-factor Authentication (MFA) Okta MFA Enrollment for iPads and Mobile Phones On a computer On your desktop open a browser and go to Okta.spps.org Sign in using your SPPS email (firstname.lastname@spps.org) and click the Next button to continue.  When prompted, Verify with your active directory password, click the Verify button to continue. The following page will show your verification options. Okta Verify will be pushed out to SPPS staff iPads and MacBooks. You may also download and install the Okta Verify app on a work or personal mobile phone to have a secondary device set up for access. The YubiKey Authenticator option is limited and will be available for Windows users as needed. (More information to follow). Click on the Set-up button under Okta Verify it will bring you to the Set up screen. Keep this screen open as you will need to scan the QR Code with your mobile phone or iPad to complete your enrollment.  Okta Verify should be pushed out to all staff district owned iPads. If you do not see the Okta Verify app, the app is available in self-service. *Note:If setting up Okta Verify on your mobile phone you will need to download the application from the app store before proceeding.                             Okta Verify from Google play - Android Phones                                                          Okta Verify from Apple App Store - iPhones                On your iPad or Mobile Phone Download and open Okta Verify app on your mobile phone or iPad. You should see a screen where you can add an account. Click the Add Account button to continue.  Select Organization for the Account Type You will be brought to a page asking if you have your QR code. Bring up the QR code on your computer and select Yes, Ready to Scan and then scan the QR code on your computer with your mobile phone or iPad. *Note: You may have to grant the Okta Verify app access to your camera before being able to scan the QR Code.         You will be asked to allow push notifications, please click the Allow button so you will get notified when you need to approve a sign in. You will be asked if you want to enable a form of biometrics, clicking Enable will allow you to quickly access the app and approve push notifications. *Note: If you do not choose to allow biometrics you will be prompted to input your password for every MFA prompt as the biometrics can serve as your additional form of authentication. You will be prompted to verify your identity. Scan your biometrics just like you would when logging into your device. If the Okta Verify setup was successful, you will see the Account Added screen. Click the Done button to exit. You may close the app on your iPad or mobile phone at this time. Back to the computer, after exiting out of the setup, you will be redirected to the dashboard of the Okta Verify app. When you are requested to utilize MFA for a sign-in you will get a push notification. Click the Yes, It’s Me button to allow the sign-in and then you will have access to the application as normal. Important Note Whenever you get an MFA push notification be sure to pay special attention to the Location part as highlighted. If for some reason you see a location that is not near where you are logging in from click the No, It’s Not Me button as it may be someone else trying to login to your account. Only select "Yes" when you are expecting a login request.         Rev# 10-13-23

About MFA authenticators The goal of a good multifactor authentication (MFA) strategy is to provide a certain level of assurance. This is the degree of confidence that the user attempting to sign in is who they say they are. Authenticators provide different levels of assurance depending on their factor type:  Possession: This is something that the user has in their possession, such as a phone, or access to an email account.  Knowledge: This is something that the user knows, such as a password, or the answer to a security question. Biometric: This is something that the user is. It represents a physical attribute of the user that a device can scan, such as a fingerprint reader or facial scanner. The scan is used to determine that the person attempting to authenticate is the same person who originally set up this type of authentication. This table shows the relationship between authenticators, factors types, and methods.     Factor type Knowledge (something you know) Possession (something you have) Biometrics/Inherence (something you are) Authenticator Password Okta Verify Authenticator WebAuthn n/a Methods n/a Okta Verify (TOTP & Push) Security Key (touch-enabled YubiKey) Email Magic Link (Future potential use) SMS (limited use case) Okta Verify (with biometrics) Authenticators also have methods. Each method enrollment satisfies a different set of factor types and method characteristics. For example, some authenticators are bound to a specific device, while others are used to demonstrate the physical presence of the user (instead of a bot, for example). Here’s a table that describes the characteristics of methods:    Method characteristic Description Examples Device-Bound The device key or secret is stored on the device and can’t be transferred to another device without re-enrolling All possession authenticators except for Email and Phone Hardware-Protected An authenticator that provides hardware protection of secrets or private keys. The device key is stored on a separate device, in the Trusted Platform Module (TPM), in a secure enclave, or on a separate hardware token, such as RSA SecureID. Hardware protection isn't provided by all types of devices. Okta Verify proof-of-possession key Phishing-Resistant An authenticator that cryptographically verifies the login server WebAuthn, Okta FastPass in Okta Verify User Presence The user proves they have control of the authenticator by actively authenticating (interacting with the authenticator, such as touching a YubiKey or entering a one-time password) and demonstrates their physical presence Every method except an Okta Verify verification signed by a proof-of-possession key To provide higher levels of assurance, select combinations of authenticators that cover different factor types: Select Okta Verify with biometrics enabled to verify the physical person attempting to authenticate When you add an authenticator, you must also configure it so it will work the way you want in your environment. Each authenticator has unique configuration requirements, and some authenticators are used for specific purposes. For example, we may configure your school Email, allow a personal phone number, or security question authenticators to be used only for password recovery, or for access to certain apps. Phishing resistance Phishing-resistant authentication detects and prevents the disclosure of sensitive authentication data to fake applications or websites. WebAuthn (FIDO 2) and Okta FastPass (a verification option in Okta Verify) are phishing-resistant authenticators that prevent email, SMS, and social media phishing attacks. Phishing-resistant authenticators don’t protect against attacks where the computer or network is already compromised. Rev# 10-13-23

Devices Used to Access District Resources and Order to Enroll them into Okta While only one authentication device is required, Technology Services recommends having at least two options to authenticate to Okta to avoid potential issues should one stop working. To access SPPS email and and other applications you will need to have an authenticator. By add Okta Verify to your cell phone (work or personal), accessing your SPPS email from other location will be easier. Below is the recommended order of operations for installing Okta Verify, or adding devices to your available authenticators.  For users with a MacBook MacBook and District Phone MacBook > District Phone MacBook and Personal Phone MacBook > personal phone MacBook and iPad MacBook > iPad MacBook, iPad, Personal Phone MacBook > iPad > personal phone MacBook, iPad, District Phone MacBook > iPad > District phone For users with a PC Windows PC and District Phone Windows PC > District phone Windows PC and Personal Phone Windows PC > personal phone Windows PC, District Phone, and Personal Phone Windows PC > District Phone > personal phone Windows PC and YubiKey* Windows PC > YubiKey* For users with a District Phone or iPad District Phone Only District Phone > personal phone and/or YubiKey* iPad only iPad > personal phone and/or YubiKey* Important notes: * A YubiKey is a small USB authenticator, when plugged into a device and touched for three seconds, enters an authentication code when signing in. With a YubiKey a user will still need to enter their password every time when signing in. There are only a limited number of YubiKeys available at this time. ** If you lose a device, a device breaks, the battery dies, or you get a new computer or phone, you will need to have a second device already setup to continue to access SPPS resources and add a new authenticator. Without a second authenticator you will need to call the help desk and have your authentication method reset. Rev# 10-13-23

  1. On a desktop PC or Mac open a browser and go to Okta.spps.org  2. Sign in using your SPPS email firstname.lastname@spps.org and click the Next button to continue.   3. When prompted to Verify with your password type in your normal active directory password and then click the Verify button to continue     4. The following page will show you various verification options click “Set up” underneath the YubiKey Authenticator option.  5. Plug in the YubiKey and touch and hold the metal part for three seconds (until a code is entered). (If you just tap the Yubikey it will enter a different code.) 6. The following page might pop up. Select "Set up Later" 7. You should get a message show it was successful.    Please note:   A user must setup a biometric or their password will be required every time.   Only one of the devices is needed to sign in but without a security method a user cannot access SPPS resources so multiple options are important.   Okta Verify with a biometric is the only option that does not require a password every time.  REV 11-10-2023

1. Sign into Okta.spps.org on any browser.    2. Click on your name in the upper right corner.  3. Under the setting you will find “Security Methods” this is where a user can manage sign in options.  4. Select “Set up” under YubiKey Authenticator. -To setup a YubiKey by this method a user must have Okta Verify setup first.  5. Plug in the YubiKey and touch the metal part until a code is entered. (If you just tap the Yubikey it will enter a different code.) 6. You should get a message show it was successful.    Please note:   A user must setup a biometric or their password will be required every time.   Only one of the devices is needed to sign in but without a security method a user cannot access SPPS resources so multiple options are important.   Okta Verify with a biometric is the only option that does not require a password every time.  REV 10-13-2023

Yes you may install Okta Verify on your personal Mac or PC.  Macs For Macs the application is available in the Apple App Store free of cost.  Okta Verify for Macs  You will need an Apple ID to download it.  If you haven't created an Apple ID you can find instructions here. Click here for the solution to finish enrolling a Mac. Windows PCs You can download the latest version from the following link Okta Verify for PC Click here for the solution to finish enrolling a PC.  Start with Step 4.