Set up FIDO2 (WebAuthn) authenticator and phishing-resistant policies

This set of tasks explains how to configure FIDO2 (WebAuthn) authenticator and policies that require phishing-resistant authenticators.

Before you begin

  • Disable User enumeration prevention. In the Admin Console, go to SecurityGeneralUser enumeration prevention. Clear the checkboxes for Authentication and Recovery, and then click Save.
  • Configure the FIDO2 (WebAuthn) authenticator. Set User verification to Preferred.
  • Optional. Okta recommends adding another phishing-resistant authenticator such as Okta FastPass. This ensures that users can access their Okta account if they lose their YubiKey.

Create groups for new and existing users

  1. In the Admin Console, go to DirectoryGroups.

  2. Click Add group.
  3. Create groups for new and existing users, and name them accordingly. For example, New Employees and Existing Employees.

  4. Click Save.

Assign the phishing-resistant policies that you create to these groups.

Configure a global session policy

  1. Create a global session policy. Assign it to the new and existing user groups.
  2. Add a global session policy rule. Set the following conditions:
    • Establish the user session with: Any factor used to meet the authentication policy requirements
    • Multifactor authentication (MFA): Required
    • Users will be prompted for MFA: Every time a user signs in
  3. Move this policy to the top of the priority list.

Configure an authenticator enrollment policy

For existing users, set the applicable authenticator enrollment policy to FIDO2 (WebAuthn): Required or Optional.

For new users, complete the following steps:

  1. Create an authenticator enrollment policy. Assign it to the new and existing user groups.
  2. Set the following conditions for Authenticators:
    • FIDO2 (WebAuthn): Required
    • Allowed authenticators: Any WebAuthn authenticators
    • Okta Verify: Required or optional
    • Define whether other authenticators are Required, Optional, or Disabled as needed.
  3. Configure an authenticator enrollment policy rule. Set the following conditions.
    • User is accessing: Okta and apps. Select any app that supports MFA enrollment.
    • Enrollment is: Allowed if required authenticators are missing
  4. Move this policy to the top of the priority list.

Configure an authentication policy for Okta Dashboard

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Click the Okta Dashboard.
  3. Add an authentication policy rule. Set the following conditions:
    • User's group membership includes: At least one of the following groups. Enter the new and existing user groups.
    • User must authenticate with: Any two factor types
    • Possession factor constraints are: Phishing resistant, Require user interaction, Require PIN, or biometric user verification
  4. Move this rule to the top of the priority list.
  5. On the Applications tab, click Add app.
  6. Add the Okta Dashboard app to the policy. Search for other apps you want to assign to these users and add them to the policy.
  7. Click Close.

Next step

Set up Okta Workflows for YubiKey shipment