WebAuthn (MFA)

FIDO2 Web Authentication (WebAuthn) is a standard web API that is incorporated into web browsers and related web platform infrastructures that is used to securely authenticate users on the web across various sites and devices. For more information about the FIDO2 WebAuthn standard, see FIDO2 Project.

You can configure FIDO2 (WebAuthn) as a multifactor authentication (MFA) option. The WebAuthn standard provides users with new methods to authenticate with MFA factors that are enabled and configured specifically for WebAuthn. When you configure a WebAuthn authenticator, users must provide additional verification when signing in to Okta. Users can enroll in up to 10 instances of the same WebAuthn authenticator. User set themselves up either from the sign-in widget or from settings on their end-user dashboard.

If a user signs in to Okta and selects Security key or Biometric Authenticator, they're prompted to register a WebAuthn authenticator in order to sign in to Okta successfully. The user follows additional on-screen prompts for the browser or OS instructions to ensure successful authentication.

WebAuthn configuration in the Okta Admin Console

Note

Note: If an end user is only enrolled in WebAuthn authenticators (TouchID on Macintosh computers and iPhones, FaceID on iPhones, Windows Hello, Android fingerprint or PIN, or other device-bound authenticators), there is a risk that the end user could find themselves unable to authenticate into their account if something goes wrong with their WebAuthn authenticator. To mitigate this risk, Okta recommends that admins allow their users to set up non-WebAuthn factors that are not bound to a particular device, and encourage their users to set up these additional factors and authenticators as a backup.

WebAuthn authentication support

  • Authenticating with security keys such as YubiKeys or Google Titan
  • Authenticating with built-in authenticators such as Windows Hello and Apple Touch ID

  • Trusted cross-origin and cross-Relying Party Identifier (RP ID) validation when using the Trusted Origins API. Orgs can use WebAuthn for sign-in pages hosted at Trusted Origins that are different from the org's Okta or custom domain URL. See Trusted Origins tab.

    Note

    WebAuthn requires the https protocol. Make sure to specify https (not http) when you configure a Trusted Origin for this use case.

WebAuthn web browser support

WebAuthn is supported in Chrome, Firefox, and Edge browsers to different degrees. All three browsers support credential creation and assertion using a U2F Token (such as Yubico-provided tokens). For a full list of desktop and mobile browser compatibility, refer to Browser Compatibility.

Note

Embedded web browsers do not always support WebAuthn.

Firefox
  • Supports Windows Hello for Windows 10 build 1903 and later
  • Does not fully support Apple Touch ID
  • Does not support CTAP2 with PIN
Chrome
  • Supports platform authenticators (for example, Touch ID) and security keys
  • When platform and roaming authenticators are enrolled and available for a user, platform authenticators are displayed by default
  • If a CTAP2 authenticator has a PIN registered on the authenticator, Chrome does support CTAP2 with PIN
  • Resetting Apple Touch ID invalidates existing WebAuthn enrollments through Touch ID
  • Deactivating Apple Touch ID prevents enrollments of future Touch ID-based WebAuthn factor instances until Touch ID is set up again
  • Clearing Passwords and other sign-in data removes a WebAuthn platform authenticator from the Chrome profile. The Okta enrollment is invalidated and becomes out-of-date and no longer associated with a valid authenticator instance. Clearing Cookies and other site data has the same result.
Safari
  • Okta supports Apple's Touch ID in Safari on devices running macOS Catalina and later.
  • Does not support CTAP2 with PIN yet (as of 2019-10-25), just allows for security without user verification
  • There is no WebAuthn dialogue prompt, it silently waits for security key input
Edge
  • Supports platform authenticator (Windows Hello) and security key in Windows.
  • Enrolling in WebAuthn with either face or PIN also enrolls other authenticator methods (such as fingerprint sensor).
  • Windows Hello has a three minute timeout for face unlock (if available) before transitioning to PIN (if available). The timeout for PIN is approximately five minutes.
Edge Chromium
  • Only supports roaming authenticators. Touch ID and Windows Hello are not supported
  • Previous non-Chromium versions of Edge supports both roaming and platform authenticators
General
  • When enrolling a Security Key or Biometric Authenticator (WebAuthn), end users are prompted to allow Okta to have information about that particular enrolled factor. This allows each WebAuthn factor to appear by name in the Extra Verification section of the end user's Settings page.
  • On Windows 10 OS v 1809 and later, WebAuthn is supported for Windows Hello + security key, on Edge browser only
  • On Windows 10 OS v 1903 and later, WebAuthn is supported for Windows Hello + security key, on Edge + Chrome + Firefox browsers
  • On Windows in general, the default user verification value of "preferred" forces any PIN-capable CTAP2 authenticators to enter a PIN even if none is set on the device (essentially forcing the setup)
  • On other operating systems, the "preferred" setting only forces PIN entry if one has already been set on the authenticator
  • Only YubiKey 5 and newer supports CTAP with PIN

  • Wiping a security key invalidates existing WebAuthn enrollments in Okta from that security key device as well as platform authenticators such as Touch ID, Windows Hello.

WebAuthn Windows 10 support

Official FIDO2 certification for Windows Hello is supported as of Windows 10 build 1903 for web browser support on Microsoft Edge, Google Chrome, and Mozilla Firefox. Previous versions of Windows 10 use a deprecated implementation of WebAuthn, which is not supported by Okta.

Enroll a WebAuthn security key for an end user

You can enroll a WebAuthn security key on behalf of an end user.

  1. Click Profile to view the user attributes page.
  2. Under More Actions, click Enroll FIDO2 Security Key.

  3. Click Register to enroll the key. Your browser or device prompts you to enroll the key.

  4. Follow the on-screen instructions. A confirmation message appears when enrollment is successful.

End-user experience

When admins configure their orgs with User Verification set to Discouraged, end users who enroll a WebAuthn factor do not see the WebAuthn enrollment names of the factors they enroll; they are listed generically as "Authenticator", and no other details about the factor are provided.

Related topics

Multifactor Authentication (MFA)

Trusted Origins tab

Trusted Origins API

Network Zones

General Security

Sign-on policies

HealthInsight