FIDO2 (WebAuthn) support and behavior

FIDO2 (WebAuthn) is supported on most web browsers and operating systems. Okta uses the standard browser APIs for enrollment and authentication.

Security keys

All major browsers support version 2 of the Client to Authenticator Protocol (CTAP2). CTAP2 with PIN is supported on Chrome if the authenticator has a PIN registered.

If you delete a security key, the existing WebAuthn enrollments in Okta and on platform authenticators, such as Touch ID and Windows Hello are invalidated.

Edge

On Edge, enrolling in WebAuthn with either face recognition or a PIN also enrolls other authentication methods, such as a fingerprint.

Chrome

Chrome displays platform authenticators by default when both platform and roaming authenticators are enrolled and available.

When you clear passwords, cookies, and other sign-in data in Chrome, you remove the WebAuthn platform authenticator from the Chrome profile. This also removes the authenticator enrollment from the Okta account.

Resetting Apple Touch ID for Chrome invalidates the existing Touch ID WebAuthn enrollments in Okta.

Deactivating Apple Touch ID in Chrome prevents future enrollments of Touch ID WebAuthn until Touch ID is set up again.

Windows

If User Verification is set to Preferred, Windows enforces a PIN for CTAP2 with PIN authenticators even if it's not set up.

The user must set up a PIN for each enrolled FIDO2 (WebAuthn) authenticator in their Okta End-User Dashboard under SettingsSecurity Methods.

On other operating systems, the Preferred setting only enforces a PIN if it's set up on the authenticator.