FIDO2 (WebAuthn) support and behavior
FIDO2 (WebAuthn) is supported on most web browsers and operating systems. Okta uses the standard browser APIs for enrollment and authentication.
Security keys
All major browsers support Client to Authenticator Protocol 2 (CTAP2). CTAP2 with PIN is supported on Chrome, if the authenticator has a PIN registered.
If you delete a security key, the existing WebAuthn enrollments in Okta and on platform authenticators such as Touch ID and Windows Hello are then invalid.
Edge
On Edge, enrolling in WebAuthn with either face recognition or PIN also enrolls other authentication methods, such as fingerprint.
Chrome
Chrome displays platform authenticators by default when both platform and roaming authenticators are enrolled and available.
If you clear passwords, cookies, and other sign-in data in Chrome, you remove the WebAuthn platform authenticator from the user's Chrome profile. This also removes the authenticator enrollment from the user's Okta account.
If you reset Apple Touch ID on Chrome, you invalidate the user's existing Touch ID WebAuthn enrollments in Okta. If you deactivate Touch ID in Chrome, you prevent future enrollments of Touch ID WebAuthn until it's set up again.
Windows
On Windows, if User Verification is set to Preferred, a PIN is enforced for CTAP2 with PIN authenticators even if it's not set up. The user must set up a PIN for each enrolled FIDO2 (WebAuthn) authenticator in . On other operating systems, the Preferred setting only enforces the PIN if it's set up on the authenticator.