FIDO2 (WebAuthn) compatibility

Okta has tested multiple WebAuthn scenarios to determine which combinations of browsers, operating systems, and WebAuthn modes are compatible with Okta user verification requirements.

FIDO2 (WebAuthn) support in Okta on desktop browsers

Okta user verification with WebAuthn has been tested in the following desktop browsers and versions:

Browser	Chrome	Safari	Firefox	Internet Explorer	Edge
Version supported	83.0.4103.106 +	13.1 (15609.1.20.111.8) +	77.0.1 +	Not supported	83.0.478.56 +
macOS Catalina (Touch ID)	●			n/a
macOS Catalina (Security Key)	●	●	●	n/a	●
Windows (Windows Hello)	● (Windows 10 v. 1903+)	n/a	●	●	● (Windows 10 v. 1809+)
Windows (Security Key)	● (Windows 10 v. 1903+)	n/a	●	●	● (Windows 10 v. 1809+)

FIDO2 (WebAuthn) support in Okta on mobile browsers

Okta user verification with WebAuthn has been tested in the following mobile browsers and versions:

Browser	Chrome	Safari	Firefox	Edge
Version supported	98.0.4758.97 +	15.3.1 +	98.0 +	99.0.1150.38 +
iOS (Face ID)	●	●	●	●
iOS (NFC Security Key)	●	●	●	●
Android (Fingerprint)	●	n/a	●	●
Android (Security Key)	●	n/a	●	●

General notes

Okta doesn't support embedded web browsers for WebAuthn-based user verification.
On Windows computers, if the Okta default user verification value is Preferred, any PIN-capable Client to Authenticator Protocol (CTAP) 2 authenticators are forced to enter a PIN even if none is set on the device. This allows each FIDO2 (WebAuthn) factor to appear by name in the Extra Verification section of the user's Settings page, which forces the user to set up a PIN. On other operating systems, the Preferred setting only forces PIN entry if one has already been set up on the authenticator.
As of Windows 10 build 1903, official FIDO2 certification for Windows Hello is supported on Microsoft Edge, Google Chrome, and Mozilla Firefox. Previous versions of Windows 10 because it uses a deprecated implementation of WebAuthnthat Okta doesn't support.
Only YubiKey 5 and newer supports CTAP with PIN.
Wiping a security key invalidates existing WebAuthn enrollments in Okta from that security key device and platform authenticators such as Touch ID and Windows Hello.

Notes about security key enrollment

Enrolling security key has several limitations when using an AAGUID-based allow list:

Enrollment using FIDO U2F is not supported.
Enrollment is currently unsupported on Firefox.
Enrollment is currently unsupported on Chrome if User Verification is set to Discouraged and a PIN is set on the security key.
If prompted during enrollment, users must allow Okta to see make and model of the security key.

Browser-specific notes

Firefox	Doesn't support CTAP2 with PIN.
Chrome	Displays platform authenticators by default when platform and roaming authenticators are enrolled and available for a user. Supports CTAP2 with PIN. If a CTAP2 authenticator has a PIN registered on the authenticator, Chrome supports CTAP2 with PIN. Resetting Apple Touch ID invalidates existing Touch ID WebAuthn enrollments. Deactivating Apple Touch ID on a Macintosh computer prevents future enrollments of Touch ID-based WebAuthn until Touch ID is set up again. Clearing the Passwords and other sign-in data and Cookies and other site data browser settings removes the WebAuthn platform authenticator from the Chrome profile. The Okta enrollment is invalidated and is no longer associated with a valid authenticator instance.
Safari	Okta supports Apple's Touch ID in Safari on Intel-based Apple Macintosh computers running macOS Big Sur and later. The FIDO2 (WebAuthn) authenticator may not function correctly using the Safari browser on Apple Macintosh computers running on the Apple M1 processor. Allows for security without user verification. Doesn't support CTAP2 with PIN. It only allows for security without user verification. Doesn't display a WebAuthn dialog prompt for Safari users. The browser silently awaits insertion of the security key.
Edge	Enrolling in WebAuthn with either face recognition or PIN also enrolls other authenticator methods, such as fingerprint reading. Windows Hello has a three-minute timeout for face recognition unlock (if available) before transitioning to PIN (if available). The timeout for PIN is approximately five minutes.
Edge Chromium	Previous non-Chromium versions of Edge support both roaming and platform authenticators.

For a full list of desktop and mobile browser compatibility, refer to Browser Compatibility.