TypingDNA Verify 2FA integrates with Okta using OIDC, allowing it to function seamlessly as a two-factor authentication method. This setup is compatible with both Okta's Identity and Classic Engines. The following steps outline the necessary actions:
A. On TypingDNA dev/client side:
B. On Okta side:
Let’s proceed step by step.
To begin, log into your TypingDNA dev account
Note: An upgrade to Enterprise level is required to utilize OIDC integration.
Ensure the Verify 2FA tab is active.
Select Integrations from the left side Menu. In the OIDC integrations panel click Add new integration.
Name your integration and click Create.
Now, you should be able to view your integration in the OIDC integrations panel.
You will be able to edit your URI (adding the one obtained from Okta, explained below) and see your OIDC credentials, and endpoints (needed on the Okta side, in the next chapter)
With the OIDC integration established in TypingDNA, proceed to the Okta Admin Console.
First, log into your Okta Admin Console.
Go to Security > Identity Providers and click Add identity provider
From the identity providers list, chose OpenID Connect IdP (OIDC IdP)
Now complete all fields with the information provided in your OIDC integration at TypingDNA. Make sure to select IdP Usage > Factor only.
Copy the Client ID and Client Secret from the OIDC integration at TypingDNA, along with the Endpoints urls.
Leave the other options unchecked/uncompleted, as seen below.
Once saved, you should be able to see the Redirect URI when you Configure this IdP. To see the Redirect URI, just click on the IdP’s name. Please Copy the Redirect URI as you will need it in the next step.
The Redirect URI needs to be Pasted on the TypingDNA side, click the Edit icon of your OIDC integration.
Now Paste your Redirect URI here.
In Okta, go to Security > Authenticators and click Add authenticator.
Click on IdP Authenticator.
Now, select the Identity Provider (IdP) defined at the previous step (we called it “TypingDNA 2FA”).
Our TypingDNA Authenticator is now set up.
At this time, TypingDNA is typically added automatically as an authentication factor to the default policy. However you can check by selecting Security > Authentication Policies
Here you should have a main policy that is used by most apps (ours it’s called “Any two factors”). You should also be able to see in which apps it is used.
If you click the policy name, you should be able to look at its rules. Typically our newly created IdP should be listed in the Catch-all Rule as Additional factor types.
(Optionally) Since TypingDNA Verify 2FA is designed for computer keyboards, we deactivated the option to use it on phones. The app will simply fail to work and prompt the user for a different factor from your policy. However, for better UX, to make sure your users are not prompted for TypingDNA when logging in from a phone/iOS/Android device, we recommend adding another rule, only for mobile phones, where you suppress Phone and Email factors (which will also suppress OIDC integrations).
Btw, phones should be suppressed anyway when logging from a phone since that phone might already be compromised.
Note that the above policy outcomes can be obtained with various other policy strategies (e.g. with individual policies targeting each device type). This is just a simple UX friendly way to facilitate the best 2FA/MFA options for each device through the use of Rules applied within the same Authentication Policy.
Users must enroll with TypingDNA, either automatically via Okta's two-factor requirement or manually through Settings > Security Methods, as seen below.
When the user click Set up, they will be asked to re-authenticate as normal (with 2 factors if that’s the normal), and then they will be allowed to enroll TypingDNA as a factor. See below the typical screens the user will see before enrolling.
During enrollment, users type a random 4-word combination to create a unique typing pattern to be used in future authentications. An algorithm ensures these words cover the keyboard well enough.
At authentication, the user is simply prompted to type just one time for authentication.
If they fail to authenticate we try a second time and if the user fails again, they are then returned to select a different factor in Okta. If multiple fails happen, we add progressive time locks, stopping impostors from trying multiple times.
A user with admin privilege can reset an authenticator from any user at any time.
Go to Directory > People and find the desired user using the search box. Then, from the More Actions dropdown menu, pick Reset Authenticators.
In the popup, select TypingDNA authenticator and click Reset Selected Authenticators.
At this time, because of how OIDC integrations work, you will also have to reset the user from the TypingDNA dev account. Note that we are working on removing this step completely.
Go to your TypingDNA dev/client account, in the Verify 2FA tab and find the OIDC integration that you are using in Okta. Click the user icon.
Enter the user email address that is used in Okta, and click Get info. Once the information is retrieved, click Delete User.
Now the user can safely Set up TypingDNA again if they choose to. Note that the user can perform the initial reset from Okta, from their account Settings > Security Methods page but they will not be able to remove themselves from TypingDNA. In this way the TypingDNA factor will not be reset, but reactivated. The issue is if the user tried to reset this factor because of some major incident with their hands or using a completely different keyboard that does not allow them to type naturally. In this case an administrator will need to reset the factor.
Feel free to contact us with any further questions at support@typingdna.com
