Create phishing-resistant authentication policies
This topic describes how to create phishing-resistant authentication policies using the FIDO2 (WebAuthn) authenticator.
Before you begin
- Disable User enumeration prevention:
- In the Admin Console, go to and click Edit.
- Clear the checkboxes for Authentication and Recovery.
- Click Save.
- Configure the FIDO2 (WebAuthn) authenticator. Set User verification to Preferred.
- Optional. Add another phishing-resistant authenticator, like Okta FastPass. This ensures that users can access their Okta account if they lose their YubiKey.
Create user groups
-
In the Admin Console, go to .
- Click Add group.
- Create groups for new and existing users, and name them accordingly. For example, New Employees and Existing Employees.
-
Click Save.
Assign the phishing-resistant policies that you create to these groups.
Configure a global session policy
- Create a global session policy. Assign the new and existing user groups to it.
-
Add a global session policy rule. Set the following conditions:
- Establish the user session with: Select Any factor used to meet the authentication policy requirements.
- Multifactor authentication (MFA): Select Required.
- Users will be prompted for MFA: Select Every time a user signs in.
- Move this policy to the top of the priority list.
Configure an authenticator enrollment policy
For existing users, set the applicable authenticator enrollment policy to FIDO2 (WebAuthn): Required or Optional.
For new users, complete the following steps:
- Create an authenticator enrollment policy. Assign it to the new and existing user groups.
- Set the following conditions for Authenticators:
- FIDO2 (WebAuthn): Select Required.
- Allowed authenticators: Select Any WebAuthn authenticators.
- Okta Verify: Select Required or Optional.
- Define whether other authenticators are Required, Optional, or Disabled.
- Configure rules for authenticator enrollment policies. Set the following conditions:
- User is accessing: Select Okta, Applications, and Any app that supports MFA enrollment.
- Enrollment is: Select Allowed for all authenticators.
- Move this policy to the top of the priority list.
Configure an authentication policy for the Okta Dashboard
-
In the Admin Console, go to .
- Click Okta Dashboard, or click Add a policy if it's not there, and create it. See Create an authentication policy.
- Add an authentication policy rule. Set the following conditions:
- User's group membership includes: Select At least one of the following groups, and then enter the names of the new and existing user groups.
- User must authenticate with: Select Any 2 factor types.
- Possession factor constraints are: Select the following options: Phishing resistant, Require user interaction, Require biometric user verification.
- Click Save.
- Move this rule to the top of the priority list.
- On the Applications tab, click Add app.
- Click Add beside the Okta Dashboard app.
- Click Done on the Add Apps to this Policy dialog.
- Search for other apps you want to assign to these users and add them to the policy.
- Click Close.