Create phishing-resistant authentication policies

This topic describes how to create phishing-resistant authentication policies using the FIDO2 (WebAuthn) authenticator.

Before you begin

  1. Disable User enumeration prevention:
    1. In the Admin Console, go to SecurityGeneralUser enumeration prevention and click Edit.
    2. Clear the checkboxes for Authentication and Recovery.
    3. Click Save.
  2. Configure the FIDO2 (WebAuthn) authenticator. Set User verification to Preferred.
  3. Optional. Add another phishing-resistant authenticator, like Okta FastPass. This ensures that users can access their Okta account if they lose their YubiKey.

Create user groups

  1. In the Admin Console, go to DirectoryGroups.

  2. Click Add group.
  3. Create groups for new and existing users, and name them accordingly. For example, New Employees and Existing Employees.

  4. Click Save.

Assign the phishing-resistant policies that you create to these groups.

Configure a global session policy

  1. Create a global session policy. Assign the new and existing user groups to it.

  2. Add a global session policy rule. Set the following conditions:

    • Establish the user session with: Select Any factor used to meet the authentication policy requirements.
    • Multifactor authentication (MFA): Select Required.
    • Users will be prompted for MFA: Select Every time a user signs in.
  3. Move this policy to the top of the priority list.

Configure an authenticator enrollment policy

For existing users, set the applicable authenticator enrollment policy to FIDO2 (WebAuthn): Required or Optional.

For new users, complete the following steps:

  1. Create an authenticator enrollment policy. Assign it to the new and existing user groups.
  2. Set the following conditions for Authenticators:
    • FIDO2 (WebAuthn): Select Required.
    • Allowed authenticators: Select Any WebAuthn authenticators.
    • Okta Verify: Select Required or Optional.
    • Define whether other authenticators are Required, Optional, or Disabled.
  3. Configure rules for authenticator enrollment policies. Set the following conditions:
    • User is accessing: Select Okta, Applications, and Any app that supports MFA enrollment.
    • Enrollment is: Select Allowed for all authenticators.
  4. Move this policy to the top of the priority list.

Configure an authentication policy for the Okta Dashboard

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Click Okta Dashboard, or click Add a policy if it's not there, and create it. See Create an authentication policy.
  3. Add an authentication policy rule. Set the following conditions:
    • User's group membership includes: Select At least one of the following groups, and then enter the names of the new and existing user groups.
    • User must authenticate with: Select Any 2 factor types.
    • Possession factor constraints are: Select the following options: Phishing resistant, Require user interaction, Require biometric user verification.
  4. Click Save.
  5. Move this rule to the top of the priority list.
  6. On the Applications tab, click Add app.
  7. Click Add beside the Okta Dashboard app.
  8. Click Done on the Add Apps to this Policy dialog.
  9. Search for other apps you want to assign to these users and add them to the policy.
  10. Click Close.

Next step

Set up Okta Workflows for YubiKey shipment