You can configure FIDO2 (WebAuthn) as a multifactor authentication (MFA) option. The WebAuthn standard provides users with new methods to authenticate with MFA factors that are enabled and configured specifically for WebAuthn. When you configure a WebAuthn factor, users must provide additional verification when signing in to Okta. Users can enroll in up to ten instances of the same WebAuthn factor. User set up either from the sign-in widget or from settings on their end user dashboard.
If a user signs in to Okta and selects Security key or Biometric Authenticator , they're prompted to register a WebAuthn authenticator in order to sign in to Okta successfully. The user follows additional on-screen prompts for the browser or OS instructions to ensure successful authentication.
- WebAuthn authentication support
- WebAuthn web browser support
- WebAuthn Windows 10 support
- Enroll a WebAuthn security key for an end user
- Authenticating with security keys such as YubiKeys or Google Titan
- Authenticating with built-in authenticators such as Windows Hello and Apple Touch ID
Trusted cross-origin and cross-Relying Party Identifier (RP ID) validation when using the Trusted Origins API. Orgs can use WebAuthn for sign-in pages hosted at Trusted Origins that are different from the org's Okta or custom domain URL. See Trusted Origins tab.
WebAuthn requires the https protocol. Make sure to specify https (not http) when you configure a Trusted Origin for this use case.
WebAuthn is supported in Chrome, Firefox, and Edge browsers to different degrees. All three browsers support credential creation and assertion using a U2F Token (such as Yubico-provided tokens). For a full list of desktop and mobile browser compatibility, refer to Browser Compatibility.
Note: Embedded web browsers may not always support WebAuthn.
Official FIDO2 certification for Windows Hello is supported as of Windows 10 build 1903 for web browser support on Microsoft Edge, Google Chrome, and Mozilla Firefox. Previous versions of Windows 10 use a deprecated implementation of WebAuthn, which is not supported by Okta.
You can enroll a WebAuthn security key on behalf of an end user.
- Click Profile to view the user attributes page.
- Under More Actions, click Enroll FIDO2 Security Key.
- Click Register to enroll the key. Your browser or device prompts you to enroll the key.
- Follow the on-screen instructions. A confirmation message appears when enrollment is successful.