FIDO2 (WebAuthn)

The FIDO2 (WebAuthn) factor lets you use a biometric method, such as fingerprint reading, to authenticate. This factor supports three authentication methods:

  • Security keys, such as YubiKey or Google Titan.
  • Platform authentication that's integrated into a device and uses biometric data, such as Windows Hello or Apple Touch ID.
  • Sign-ins to URLs that are different from the org's Okta URL or custom domain URL, or for trusted cross-origin and cross-Relying Party Identifier validation when using the Trusted Origins API. See Configure Trusted Origins.

FIDO2 (WebAuthn) follows the FIDO2 Web Authentication (WebAuthn) standard. After this factor is enabled, end users can select it when signing in and use it for additional authentication.

To set up and manage YubiKeys to use the one-time password (OTP) mode, see YubiKey (MFA).

Enroll a WebAuthn security key for a user

You can enroll a WebAuthn security key on behalf of a user.

  1. In the Admin Console, go to Directory > Users.
  2. Find the user you want to enroll.
  3. Click Profile to view the user attributes page.
  4. Under More Actions, click Enroll FIDO2 Security Key.
  5. Click Register to enroll the key. Your browser or device prompts you to enroll the key.
  6. Follow the on-screen instructions. A confirmation message appears when enrollment is successful.

Current limitations

On Google Chrome browsers, the FIDO2 (WebAuthn) factor isn't usable if the browser requires an update. WebAuthn functionality is restored when you restart the browser after applying the update.

Each user can configure a maximum of 10 WebAuthn enrollments.

User experience

If this factor is enabled, users can select it when signing in and set it up so it can be used for additional authentication. Depending on your configuration, users may also be required to provide User Verification. This verification can include a biometric challenge, PIN, or password in addition to tapping the device.

When enrolling a WebAuthn Security Key or Biometric factor, users are prompted to allow Okta to have information about that particular enrolled factor. This allows each FIDO2 (WebAuthn) factor to appear by name in the Extra Verification section of the user's Settings page.

If a user is only enrolled in the FIDO2 (WebAuthn) factor, they risk being unable to authenticate into their account if something goes wrong with their FIDO2 (WebAuthn) factor or device. To mitigate this risk, encourage users to set up other MFA factors, in addition to FIDO2 (WebAuthn), that aren't bound to a particular device, and to create multiple WebAuthn enrollments in multiple browsers and on multiple devices, to ensure that they can always access their Okta account in the event that one of their devices malfunctions, or is lost or stolen.

FIDO2 (WebAuthn) factor enrollments, such as Touch ID, are attached to a single browser profile on a single device.

If users want to use a FIDO2 (WebAuthn) factor on multiple browsers or devices, advise them that they must create a new FIDO2 (WebAuthn) enrollment in each browser, and on each device, in which they want to use the factor.

For example, if a user has Google Chrome and Firefox browsers on a Microsoft Windows computer, and Google Chrome and Safari browsers on an Apple Macintosh computer, they must create a new WebAuthn enrollment in each of those four browsers.

If they have multiple Google account profiles in the Google Chrome browser, they must also create a new WebAuthn enrollment for each of those Google account profiles.

Passkey Management

Passkeys are an implementation of the FIDO2 standard in which the FIDO credential may exist on multiple devices, such as on phones, tablets or laptops, and across multiple operating system platforms. Passkeys enable WebAuthn credentials to be backed up and synchronized across devices. This preserves the strong key-based/non-phishable authentication model of WebAuthn/FIDO while trading off some enterprise security features, such as device-bound keys and attestations, that are available today with some WebAuthn authenticators. Users no longer need to carry their security key or phone to pass multifactor authentication challenges. Instead, they can use any device they have already enrolled to authenticate themselves because their credential isn't confined to a single device.

In managed-device environments, users may be able to enroll unmanaged devices to a passkey credential and use such devices to gain access to corporate systems. Okta allows admins to block the use of passkeys for new FIDO2 (WebAuthn) enrollments for their entire org. When this feature is turned on, users won't be able to enroll new, unmanaged devices using pre-registered passkeys. Admins can ensure that security policies are enforced on managed devices and address the risk of unmanaged and potentially compromised devices accessing corporate systems.

When you turn this feature on, that is, block the use of passkeys in your org, users running macOS Monterrey won't be able to enroll in Touch ID using the Safari browser.

Block the use of passkeys

This feature is off by default. Turn this feature on and block the use of passkeys in your org:

  1. In the Admin Console, go to Settings > Features.

  2. Click the toggle switch for the Block Passkeys for FIDO2 (WebAuthn) Authenticators option. The toggle switch turns blue.

Allow the use of passkeys

This is the default setting. Turn this feature off and allow the use of passkeys in your org:

  1. In the Admin Console, go to Settings > Features.

  2. Click the toggle switch for the Block Passkeys for FIDO2 (WebAuthn) Authenticators option. The toggle switch turns gray.

WebAuthn, browser and Okta compatibility

Okta testers have tested browser and WebAuthn implementations to determine which ones are compatible with Okta. See FIDO2 (WebAuthn) compatibility for details.

Related topics

FIDO2 (WebAuthn) compatibility

Multifactor Authentication

Configure Trusted Origins

Trusted Origins API

Network Zones

General Security

Sign-on policies

HealthInsight

FIDO2 (WebAuthn) compatibility