FIDO2 (WebAuthn)

The FIDO2 (WebAuthn) factor lets you use a biometric method, such as fingerprint reading, to authenticate. This factor supports the following authentication methods:

  • Security keys, such as YubiKey or Google Titan.
  • Platform authentication that's integrated into a device and uses biometric data, such as Windows Hello or Apple Touch ID.

FIDO2 (WebAuthn) follows the FIDO2 Web Authentication (WebAuthn) standard. After this factor is enabled, end users can select it when signing in and use it for extra authentication.

Sign-ins to URLs that are different from the org's Okta URL, custom domain URL, trusted cross-origin, or cross-relying party identifier, require validation when using the Trusted Origins API. See Configure Trusted Origins.

To set up and manage YubiKeys to use the one-time password (OTP) mode, see YubiKey (MFA).

Enroll a FIDO2 (WebAuthn) security key for a user

You can enroll a security key on behalf of a user whose name appears in the Okta Directory. This enables you to provision security keys, along with laptops and mobile phones, as part of onboarding employees.

  1. In the Admin Console, go to DirectoryPeople.

  2. Enter the user's name in the search field, and then click Enter. Or, click Show all users, find the user in the list, and click the user's name.
  3. In the More Actions menu, select Enroll FIDO2 Security Key.
  4. Click Register. The Verify your identity prompt appears in your browser.
  5. Select the USB security key option and follow the prompts in your browser.
  6. When the Allow this site to see your security key? prompt appears, click Allow.
  7. Click Close or Register another.

Current limitations

  • On Google Chrome browsers, the FIDO2 (WebAuthn) factor isn't usable if the browser requires an update. WebAuthn functionality is restored when you restart the browser after applying the update.
  • Each user can configure a maximum of 10 WebAuthn enrollments.

User experience

If this factor is enabled, users can select it when signing in and set it up so it can be used for extra authentication. Depending on your configuration, users may also be required to provide User Verification. This verification can include a biometric challenge, PIN, or password in addition to tapping the device.

When enrolling a WebAuthn Security Key or Biometric factor, users are prompted to allow Okta to have information about that particular enrolled factor. This allows each FIDO2 (WebAuthn) factor to appear by name in the Extra Verification section of the user's Settings page.

If a user is only enrolled in the FIDO2 (WebAuthn) factor, they risk being unable to authenticate into their account if something goes wrong with their FIDO2 (WebAuthn) factor or device. To ensure that users can always access their Okta account if one of their devices malfunctions, is lost, or stolen, encourage users to do the following:

  • Set up other MFA factors, in addition to FIDO2 (WebAuthn), that aren't bound to a particular device.
  • Create multiple WebAuthn enrollments in multiple browsers and on multiple devices.

FIDO2 (WebAuthn) factor enrollments, such as Touch ID, are attached to a single browser profile on a single device.

If users want to use a FIDO2 (WebAuthn) factor on multiple browsers or devices, advise them that they must create a FIDO2 (WebAuthn) enrollment in each browser, and on each device, in which they want to use the factor.

For example, if a user has Google Chrome and Mozilla Firefox browsers on a Microsoft Windows computer, and Google Chrome and Apple Safari browsers on an Apple Macintosh computer, they must create a WebAuthn enrollment in each of those four browsers.

If they have multiple Google account profiles in the Google Chrome browser, they must also create a WebAuthn enrollment for each of those Google account profiles.

In addition, if you enable the FIDO2 (WebAuthn) factor on your *.okta.com URL, the FIDO2 (WebAuthn) factor only allows access to your org using your *.okta.com URL. If you enable the FIDO2 (WebAuthn) factor using the custom URL for your Okta org, the FIDO2 (WebAuthn) factor only allows access to your org through that custom URL. To allow your users to access your org through both URLs, you must enable the FIDO2 (WebAuthn) factor in both URLs.

Synchronizable Passkey Management

Passkeys are an implementation of the FIDO2 standard in which the FIDO2 (WebAuthn) credential may exist on multiple devices, such as on phones, tablets, or laptops, and across multiple operating system platforms. Passkeys enable FIDO2 (WebAuthn) credentials to be backed up and synchronized across devices. This preserves the strong key-based/non-phishable authentication model of FIDO2 (WebAuthn) while trading off some enterprise security features, such as device-bound keys and attestations, that are available today with some (WebAuthn) authenticators. Users no longer need to carry their security key or phone to pass multifactor authentication challenges. Instead, they can use any device they have already enrolled to authenticate themselves because their credential isn't confined to a single device.

In managed-device environments, users may be able to enroll unmanaged devices to a passkey credential and use such devices to gain access to corporate systems. Okta allows admins to block the use of synced passkeys for new FIDO2 (WebAuthn) enrollments for their entire org. When this feature is turned on, users can't enroll new, unmanaged devices using pre-registered passkeys. Admins can ensure that security policies are enforced on managed devices and address the risk of unmanaged and potentially compromised devices accessing corporate systems.

When you turn this feature on, that is, block the use of synced passkeys in your org, users running macOS Monterrey can't enroll in Touch ID using the Safari browser.

Block the use of synced passkeys

This feature is off by default. Turn this feature on and block the use of synced passkeys in your org:

  1. In the Admin Console, go to SettingsFeatures.

  2. Click the toggle switch for the Block synced passkeys for FIDO2 (WebAuthn) Authenticators option. The toggle switch turns blue.

Passkeys on Chrome on macOS are device-bound and aren't blocked.

Allow the use of synced passkeys

This is the default setting. Turn this feature off and allow the use of synced passkeys in your org:

  1. In the Admin Console, go to SettingsFeatures.

  2. Click the toggle switch for the Block Synced Passkeys for FIDO2 (WebAuthn) Authenticators option. The toggle switch turns gray.

WebAuthn, browser, and Okta compatibility

Okta testers have tested browser and WebAuthn implementations to determine which ones are compatible with Okta. See FIDO2 (WebAuthn) support and behavior for details.

Related topics

FIDO2 (WebAuthn) support and behavior

Multifactor Authentication

Configure Trusted Origins

Trusted Origins API

Network zones

General Security

Sign-on policies

HealthInsight

FIDO2 (WebAuthn) support and behavior