Just issued, the Multi-Factor Authentication (MFA) for Unclassified and Secret DoD Networks memorandum is a critical policy accelerator for the U.S. Department of Defense’s Zero Trust strategy. As an update to DoD Instruction (DoDI) 8520.03, Identity Authentication for Information Systems (May 2023), this directive significantly expands secure access authentication methodologies beyond the traditional Common Access Card (CAC).
It details and expands approved non-PKI MFA options — including phishing-resistant authenticators like Okta FastPass and hardware devices like RSA HW SecurID tokens and YubiKey with CTAP1/U2F and CTAP2/FIDO2 passkey functions (all fully supported by the Okta Platform). This helps ensure the vast DoD community and their edge use cases, from foreign nationals to emergency accounts used in response to crisis situations, have verified access to mission-essential systems.
The directive provides clear authorization for commercial Identity, Credential, and Access Management (ICAM) solutions, allowing the DoD to modernize its security perimeter. Okta, approved for use in properly configured DoD authorized Impact Level (IL5) environments and Controlled Unclassified Information (CUI), leverages its identity security fabric to directly support key use-cases outlined in the memo.
Okta is also a foundational technology within the Defense Manpower Data Center (DMDC)’s myAuth, a DoD-approved authentication system that provides secure access to healthcare, education, and human resources applications to an estimated 20 million people.
Below is a detailed extract from the DoD’s new MFA Policy Memorandum, highlighting the rules, restrictions, and credential types associated with Okta solutions.
Issuer | Credential / Authenticator | Rules | Restrictions |
Okta | Verify MFA with cryptographic FastPass |
|
|
*Okta supports Functional Privileged Users when configured in accordance with the IDaaS STIG. Okta supports IT Privileged Users with multiple non-PKI paths: Passkey technology (CTAP2/FIDO2) and the use of physical YubiKey tokens with the CTAP1/U2F. See Table 4 of the memorandum for further guidance.
To learn more about Okta’s permitted authentication methods, explore our documentation on the phishing-resistant, passwordless experience of Okta FastPass and the security provided by our Okta IDaaS STIG compliance.
In addition to secure, phishing-resistant MFA, the Okta for US Military platform contains the following capabilities from the DoD ICAM Reference Architecture: Identity Provider (IdP), Automated Account Provisioning (AAP), Master User Record (MUR), Identity Governance and Administration (IGA), and Functional Privileged Access Management (PAM). These are the key pillars of an ICAM technology stack.
When DoD customers use Okta as their ICAM technology stack, they have control of the entire identity lifecycle. Our ICAM stack is vendor-neutral in terms of MFA technologies: customers can use Okta’s native MFA (Okta FastPass), and/or any of the other MFA technologies outlined in this memo.
We invite you to explore a 90-day, no-cost trial of Okta Identity Governance. For more information regarding Okta’s solutions for the DoD, please contact us at dod@okta.com.
