Overview
Okta is an enterprise-grade identity management solution which securely connects users to business applications, devices and tools. The Commonwealth of Virginia (COV) uses the Okta platform for multifactor authentication (MFA), which adds an extra layer of security when signing in to your COV account.
This page provides guidance on setting up Okta MFA and choosing the appropriate authentication method for your device. Multiple MFA options can be configured for the same account, allowing flexibility in how you sign in. You'll find instructions and job aids in the sections below to help you get started.
Short messaging service (SMS) and voice retirement
SMS and voice authentication has historically been used by Okta for MFA. However, due to phishing and additional security concerns, SMS (text) and voice authentication methods will no longer be available starting December 1, 2025.
Choosing the right authenticator
The Commonwealth of Virginia supports several secure authentication methods through Okta: Okta Verify, Yubikey, and Google Authenticator. Each method works best with specific device types and use cases:
-
Okta Verify is recommended for most users. It works on desktops and laptops (Windows and macOS) as well as mobile devices, including iphones and Android phones.
-
Yubikey is ideal for users who prefer or need a physical hardware key to sign in on their workstation.
-
Google Authenticator is an alternative approved option that is currently only supported on mobile devices.
You can configure one or more of these authenticators to meet your security needs.
Okta resources for COV employees and contractors
This section provides information and setup procedures for authentication methods available to COV employees and contractors. Note: This guidance applies to users who log in through virginia.okta.com.
Okta Verify is the MFA application provided by Okta that can be used for desktops, laptops, and mobile devices. It supports three authentication methods for COV users:
-
Okta FastPass (all platforms):
Workstation application that is used on the device that is requesting authentication (Note: it is required for the application to be installed in advance). Authentication will work by submitting the passcode associated with the workstation application. If the application is not installed, please contact the VITA Customer Care Center (VCCC) to have the application installed. Please note: macOS users will need to contact the VCCC for installation. -
Time-based one-time password (TOTP) (Android and iOS only; enabled by default)
Users authenticate by entering a six-digit one-time passcode (OTP) generated by Okta Verify. -
Push notification (Android and iOS only)
Users authenticate by tapping a notification that's pushed to their mobile device. This can be configured to include a challenge code.
Job aids:
Yubikey is a hardware security key (also known as a hard token) that provides authentication by connecting a USB device directly to an enabled workstation.
Job aid
-
Set up Yubikey as an authentication factor on Okta (KB0020148)
Google Authenticator offers a time-based passcode (TOPT) similar to Okta Verify. To use it, you must first download the Google Authenticator app and link it to your COV account before completing your initial authentication.
Job aids:
Okta resources for virginia-gov.okta.com users
Some applications provided by state agencies require login to virginia-gov.okta.com. These applications include VVAAS, Hotfiles and CRIS.
This section provides procedural documentation on setting up Okta MFA for virginia-gov.okta.com users. Please note, multiple MFA options can be configured for the same account.
If you have any issues, please contact the support line provided by the application owning agency during enrollment.
Okta Verify is the application for authentication that Okta offers. It is available for desktop, laptop and mobile devices.
Okta Verify provides three authentication methods: Okta FastPass, Okta time-based one time passcode (TOTP) and Okta push notifications.
When used with your workstation device (desktop and laptop) Okta FastPass is used for authentication. When used with your mobile device Okta TOTP or Okta push notifications can be used for authentication.
Job aids:
Yubikey is a hardware security key (also known as a hard token) that provides authentication by connecting a USB device directly to an enabled workstation.
Job aid
- Set up Yubikey as an authentication factor on Okta (KB0020148)
Google Authenticator offers a time-based passcode (TOPT) similar to Okta Verify. To use it, you must first download the Google Authenticator app and link it to your COV account before completing your initial authentication.
Job aids:
Troubleshooting
For answers to common questions about Okta, please refer to the following FAQs:
If you need further assistance, please contact the VITA Customer Care Center (VCCC).