FIDO2 Web Authentication (WebAuthn) is a standard web API that is incorporated into web browsers and related web platform infrastructures that is used to securely authenticate users on the web across various sites and devices. For more information about the FIDO2 WebAuthn standard, see FIDO2 Project.
You can configure FIDO2 (WebAuthn) as a multifactor authentication (MFA) option. The WebAuthn standard provides users with new methods to authenticate with MFA factors that are enabled and configured specifically for WebAuthn. When you configure a WebAuthn authenticator, users must provide additional verification when signing in to Okta. Users can enroll in up to 10 instances of the same WebAuthn authenticator. User set themselves up either from the sign-in widget or from settings on their end-user dashboard.
If a user signs in to Okta and selects Security key or Biometric Authenticator, they're prompted to register a WebAuthn authenticator in order to sign in to Okta successfully. The user follows additional on-screen prompts for the browser or OS instructions to ensure successful authentication.
Note: If an end user is only enrolled in WebAuthn authenticators (TouchID on Macintosh computers and iPhones, FaceID on iPhones, Windows Hello, Android fingerprint or PIN, or other device-bound authenticators), there is a risk that the end user could find themselves unable to authenticate into their account if something goes wrong with their WebAuthn authenticator. To mitigate this risk, Okta recommends that admins allow their users to set up non-WebAuthn factors that are not bound to a particular device, and encourage their users to set up these additional factors and authenticators as a backup.
- WebAuthn authentication support
- WebAuthn web browser support
- WebAuthn Windows 10 support
- Enroll a WebAuthn security key for an end user
- End-user experience
- Authenticating with security keys such as YubiKeys or Google Titan
- Authenticating with built-in authenticators such as Windows Hello and Apple Touch ID
Trusted cross-origin and cross-Relying Party Identifier (RP ID) validation when using the Trusted Origins API. Orgs can use WebAuthn for sign-in pages hosted at Trusted Origins that are different from the org's Okta or custom domain URL. See Trusted Origins tab.
WebAuthn requires the https protocol. Make sure to specify https (not http) when you configure a Trusted Origin for this use case.
WebAuthn is supported in Chrome, Firefox, and Edge browsers to different degrees. All three browsers support credential creation and assertion using a U2F Token (such as Yubico-provided tokens). For a full list of desktop and mobile browser compatibility, refer to Browser Compatibility.
Embedded web browsers do not always support WebAuthn.
Official FIDO2 certification for Windows Hello is supported as of Windows 10 build 1903 for web browser support on Microsoft Edge, Google Chrome, and Mozilla Firefox. Previous versions of Windows 10 use a deprecated implementation of WebAuthn, which is not supported by Okta.
You can enroll a WebAuthn security key on behalf of an end user.
- Click Profile to view the user attributes page.
- Under More Actions, click Enroll FIDO2 Security Key.
- Click Register to enroll the key. Your browser or device prompts you to enroll the key.
- Follow the on-screen instructions. A confirmation message appears when enrollment is successful.
When admins configure their orgs with User Verification set to Discouraged, end users who enroll a WebAuthn factor do not see the WebAuthn enrollment names of the factors they enroll; they are listed generically as "Authenticator", and no other details about the factor are provided.