WebAuthn compatibility

Okta has tested multiple WebAuthn scenarios to determine which combinations of browsers, operating systems, and WebAuthn modes are compatible with Okta user verification requirements.

WebAuthn support in Okta on desktop browsers

Okta user verification with WebAuthn has been tested in the following desktop browsers and versions:

Browser
Chrome
Safari
Firefox
Internet Explorer
Edge
Version supported 83.0.4103.106 + 13.1 (15609.1.20.111.8) + 77.0.1 + Not supported 83.0.478.56 +

macOS Catalina (Touch ID)

n/a

macOS Catalina (Security Key)

n/a

Windows (Windows Hello)

(Windows 10 v. 1903+)

n/a

(Windows 10 v. 1809+)

Windows (Security Key)

(Windows 10 v. 1903+)

n/a

(Windows 10 v. 1809+)

WebAuthn support in Okta on mobile browsers

Okta user verification with WebAuthn has been tested in the following mobile browsers and versions:

Browser
Chrome
Safari
Firefox
Edge
Version supported 98.0.4758.97 + 15.3.1 + 98.0 + 99.0.1150.38 +

iOS (Face ID)

iOS (NFC Security Key)

Android (Fingerprint)

n/a

Android (Security Key)

n/a

General notes

  • Embedded web browsers aren't supported by Okta for WebAuthn-based user verification.
  • On Windows computers, if the Okta default user verification value is Preferred, any PIN-capable Client to Authenticator Protocol (CTAP) 2 authenticators are forced to enter a PIN even if none is set on the device. This allows each WebAuthn factor to appear by name in the Extra Verification section of the user's Settings page, which forces the user to set up a PIN up. On other operating systems, the Preferred setting only forces PIN entry if one has already been set up on the authenticator.
  • As of Windows 10 build 1903, official FIDO2 certification for Windows Hello is supported on Microsoft Edge, Google Chrome, and Mozilla Firefox. Previous versions of Windows 10 use a deprecated implementation of WebAuthn, which isn' not supported by Okta.
  • Only YubiKey 5 and newer supports CTAP with PIN.
  • Wiping a security key invalidates existing WebAuthn enrollments in Okta from that security key device as well as platform authenticators such as Touch ID and Windows Hello.

Browser-specific notes

Firefox

Doesn't support CTAP2 with PIN.

Chrome
  • Displays platform authenticators by default when platform and roaming authenticators are enrolled and available for a user.
  • Supports CTAP2 with PIN. If a CTAP2 authenticator has a PIN registered on the authenticator, Chrome supports CTAP2 with PIN.
  • Resetting Apple Touch ID invalidates existing Touch ID WebAuthn enrollments.
  • Deactivating Apple Touch ID on a Macintosh computer prevents future enrollments of Touch ID-based WebAuthn until Touch ID is set up again.
  • Clearing the Passwords and other sign-in data and Cookies and other site data browser settings removes the WebAuthn platform authenticator from the Chrome profile. The Okta enrollment is invalidated and is no longer associated with a valid authenticator instance.
Safari
  • Okta supports Apple's Touch ID in Safari on Intel-based Apple Macintosh computers running macOS Big Sur and later, but the WebAuthn (FIDO2) authenticator may not function correctly using the Safari browser on Apple Macintosh computers running on the Apple M1 processor.
  • Allows for security without user verification.
  • Doesn't support CTAP2 with PIN; only allows for security without user verification.
  • Doesn't display a WebAuthn dialog prompt appears for Safari users; the browser silently awaits insertion of the security key.
Edge
  • Enrolling in WebAuthn with either face recognition or PIN also enrolls other authenticator methods, such as fingerprint reading.
  • Windows Hello has a three-minute timeout for face recognition unlock (if available) before transitioning to PIN (if available). The timeout for PIN is approximately five minutes.
Edge Chromium

Previous non-Chromium versions of Edge support both roaming and platform authenticators.

For a full list of desktop and mobile browser compatibility, refer to Browser Compatibility.