WebAuthn (MFA)

The WebAuthn factor lets you use a biometric method, such as fingerprint reading, to authenticate. This factor supports three authentication methods:

  • Security keys, such as YubiKey or Google Titan.
  • Platform authentication tha's integrated into a device and uses biometric data, such as Windows Hello or Apple Touch ID.
  • Sign-ins to URLs that are different from the org's Okta URL or custom domain URL, or for trusted cross-origin and cross-Relying Party Identifier validation when using the Trusted Origins API. See API token management.

WebAuthn follows the FIDO2 Web Authentication (WebAuthn) standard. After this factor is enabled, end users can select it when signing in and use it for additional authentication.

To set up and manage YubiKeys to use the one-time password (OTP) mode, see YubiKey (MFA).

Enroll a WebAuthn security key for a user

You can enroll a WebAuthn security key on behalf of a user.

  1. In the Admin Console, go to Directory > Users.
  2. Find the user you want to enroll.
  3. Click Profile to view the user attributes page.
  4. Under More Actions, click Enroll FIDO2 Security Key.
  5. Click Register to enroll the key. Your browser or device prompts you to enroll the key.
  6. Follow the on-screen instructions. A confirmation message appears when enrollment is successful.

Current limitations

On Google Chrome browsers, the WebAuthn factor isn't usable if the browser requires an update. WebAuthn functionality is restored when you restart the browser after applying the update.

User experience

If this factor is enabled, users can select it when signing in and set it up so it can be used for additional authentication. Depending on your configuration, users may also be required to provide User Verification. This verification can include a biometric challenge, PIN, or password in addition to tapping the device.

When enrolling a WebAuthn Security Key or Biometric factor, users are prompted to allow Okta to have information about that particular enrolled factor. This allows each WebAuthn factor to appear by name in the Extra Verification section of the user's Settings page.

If a user is only enrolled in the WebAuthn factor, they risk being unable to authenticate into their account if something goes wrong with their WebAuthn factor or device. To mitigate this risk, encourage users to set up other MFA factors, in addition to WebAuthn, that aren't bound to a particular device, and to create multiple WebAuthn enrollments in multiple browsers and on multiple devices, to ensure that they can always access their Okta account in the event that one of their devices malfunctions, or is lost or stolen.

WebAuthn authenticator enrollments, such as Touch ID, are attached to a single browser profile on a single device.

If users want to use a WebAuthn factor on multiple browsers or devices, advise them that they must create a new WebAuthn enrollment in each browser, and on each device, in which they want to use the factor.

For example, if a user has Google Chrome and Firefox browsers on a Microsoft Windows computer, and Google Chrome and Safari browsers on an Apple Macintosh computer, they must create a new WebAuthn enrollment in each of those four browsers.

If they have multiple Google account profiles in the Google Chrome browser, they must also create a new WebAuthn enrollment for each of those Google account profiles.

WebAuthn, browser and Okta compatibility

Okta testers have tested browser and WebAuthn implementations to determine which ones are compatible with Okta. See WebAuthn compatibility for details.

Related topics

Multifactor Authentication

API token management

Trusted Origins API

Network Zones

General Security

Sign-on policies

HealthInsight

WebAuthn compatibility