TypingDNA Verify 2FA integrates with Okta using OIDC, allowing it to function seamlessly as a two-factor
authentication method. This setup is compatible with both Okta's Identity and Classic Engines. The following
steps outline the necessary actions:
Prerequisites
Okta admin account
TypingDNA dev/client account, upgraded to Enterprise
A. On TypingDNA dev/client side:
Add a new OIDC integration under Verify 2FA
B. On Okta side:
Add TypingDNA Verify 2FA as an IdP (Identity Provider)
Add the newly created TypingDNA IdP as an Authenticator (MFA factor)
Update Authentication Policies
Let’s proceed step by step.
Add a new OIDC integration from the TypingDNA side
To begin, log into your TypingDNA dev account
Note: An upgrade to Enterprise level is required to utilize OIDC integration.
Ensure the Verify 2FA tab is active.
Select Integrations from the left side Menu. In the OIDC integrations panel click Add
new integration.
Name your integration and click Create. Leave the other options on default for now.
Now, you should be able to view your integration in the OIDC integrations panel.
You will be able to configure the main language, the type of auth (Client/Secret or Public/Private Key), request signing, PKCE, JWK, as well as edit your Redirect URI (adding the one obtained from Okta, explained below) and see
your OIDC credentials, and endpoints (needed on the Okta side, in the next chapter). Note that any auth setting on the TypingDNA side will have to be paired on the Okta side (e.g. if you chose to sign requests, use PKCE, the algorithm type, or JWK settings).
Unless you know what you’re doing we recommend leaving these settings on default.
With the OIDC integration established in TypingDNA, proceed to the Okta Admin Console.
Add TypingDNA as a new OpenID Connect IdP (OIDC IdP)
First, log into your Okta Admin Console.
Go to Security > Identity Providers and click Add identity provider
From the identity providers list, chose OpenID Connect IdP (OIDC IdP)
Now complete all fields with the information provided in your OIDC integration at TypingDNA.
Make sure to select IdP Usage > Factor only.
Copy the Client ID and Client Secret from the OIDC integration at TypingDNA, along with the
Endpoints urls.
Leave the other options unchecked/uncompleted, as seen below.
Note that you can use Public/Private key instead, and/or Signed requests, PKCE, etc, but you have to make the same settings on the TypingDNA side. However, this tutorial is not covering these details as these are particular security settings that are not influencing the way the application works from a UX perspective.
Once saved, you should be able to see the Redirect URI when you Configure this IdP. To see
the Redirect
URI, just click on the IdP’s name. Please Copy the Redirect URI as you will need it in the
next step.
Copy & Paste Redirect URI from Okta to TypingDNA
The Redirect URI needs to be Pasted on the TypingDNA side, click the Edit icon of your OIDC
integration.
Now Paste your Redirect URI here.
Add a new Authenticator (in Okta)
In Okta, go to Security > Authenticators and click Add authenticator.
Click on IdP Authenticator.
Now, select the Identity Provider (IdP) defined at the previous step (we called it “TypingDNA 2FA”).
Our TypingDNA Authenticator is now set up.
Updating Authentication Policies
At this time, TypingDNA is typically added automatically as an authentication factor to the default
policy. However you can check by selecting Security > Authentication Policies
Here you should have a main policy that is used by most apps (ours it’s called “Any two factors”). You
should also be able to see in which apps it is used.
If you click the policy name, you should be able to look at its rules. Typically our newly created IdP
should be listed in the Catch-all Rule as Additional factor types.
(Optionally) Since TypingDNA Verify 2FA is designed for computer keyboards, we deactivated the option to
use it on phones. The app will simply fail to work and prompt the user for a different factor from your
policy. However, for better UX, to make sure your users are not prompted for TypingDNA when logging in
from a phone/iOS/Android device, we recommend adding another rule, only for mobile phones, where you
suppress Phone and Email factors (which will also suppress OIDC integrations).
Btw, phones should be suppressed anyway when logging from a phone since that phone might already be
compromised.
Note that the above policy outcomes can be obtained with various other policy strategies (e.g. with
individual policies targeting each device type). This is just a simple UX friendly way to facilitate the
best 2FA/MFA options for each device through the use of Rules applied within the same Authentication
Policy.
How does it work for a user?
Users must enroll with TypingDNA, either automatically via Okta's two-factor requirement or manually
through Settings > Security Methods, as seen below.
When the user clicks Set up, they will be asked to re-authenticate as normal (with 2 factors if that’s the
normal), and then they will be allowed to enroll TypingDNA as a factor. See below the typical screens
the user will see before enrolling.
During enrollment, users type an assigned 4-word combination to create a unique typing pattern to be
used in future authentications. An algorithm ensures these words cover the keyboard well enough.
At authentication, the user is simply prompted to type just one time for authentication.
If they fail to authenticate we try a second time and if the user fails again, they are then returned
to select a different factor in Okta. If multiple fails happen, we add progressive time locks,
stopping impostors from trying multiple times.
How to reset TypingDNA for a user?
A user with admin privilege can reset an authenticator from any user at any time.
Go to Directory > People and find the desired user using the search box.
Then, from the More Actions dropdown menu, pick Reset Authenticators.
In the popup, select TypingDNA authenticator and click Reset Selected Authenticators.
At this time, because of how OIDC integrations work, you will also have to reset the user from the
TypingDNA dev account.
Note that we are working on removing this step completely.
Go to your TypingDNAdev/client account, in
the Verify 2FA tab and find the OIDC integration that you are using in Okta. Click the
user icon.
Enter the user email address that is used in Okta, and click Get info. Once the information is
retrieved, click
Delete User.
Now the user can safely Set up TypingDNA again if they choose to. Note that the user can perform the
initial reset from Okta, from their account Settings > Security Methods page but they will not be
able
to remove themselves from TypingDNA. In this way the TypingDNA factor will not be reset, but
reactivated. The issue is if the user tried to reset this factor because of some major incident with
their hands or using a completely different keyboard that does not allow them to type naturally. In this
case an administrator will need to manually reset the factor.