Device Trust upgrade considerations

To migrate Device Trust to Okta FastPass, you must upgrade from Classic Engine to Identity Engine. Then, configure Device Trust and Okta FastPass settings in Identity Engine.

Before you upgrade to Identity Engine, review these scenarios:

Push and Time-based one-time password were already enabled

  • In Identity Engine, users remain enrolled in Push and Time-based one-time password (TOTP) factors. Okta Verify with Push enrollments don't work if the authentication policy has the Hardware protected constraint enabled (see Limitations). Users might see other settings in Okta Verify.
  • In Identity Engine, Okta creates a device record in the Universal Directory when a user enrolls in Okta Verify. This record binds the user to the device and the Okta Verify app instance. The device is now registered and appears in the Admin Console under Directory > Devices. Some authentication policies allow access to apps only from registered devices. In this case, the user must enroll in Okta Verify.
  • In Identity Engine, users can enroll multiple devices in Okta Verify (in Classic Engine, they could enroll only one device). When users add an Okta Verify account on other devices, they’re automatically enrolled in Push and TOTP factors on the new devices.

Users already had one Okta Verify account

  • The account continues to work as before.
  • After the upgrade, the user can't add another Okta Verify account in the same Classic Engine org.
  • A Set up Okta FastPass button appears in the app's Account Details page. The button allows the user to enable their Okta Verify account to use their device as an authenticator (a Way to sign in).

A user had multiple Okta Verify accounts in a single org

Identity Engine orgs don't support adding more than one Okta Verify account per org.

If a user has two accounts in the Classic Engine org, both accounts continue to work after upgrading. A Set up Okta FastPass button appears on the app's Account Details page in each account. The button allows the user to enable Okta FastPass only in one of the Okta Verify accounts created in Classic Engine. After upgrade, if the user clicks Set up Okta FastPass in the second account on the same device, an error appears.

Revert to Classic Engine

If your Okta account team reverts your org to Classic Engine, Push and TOTP remain enabled even if these factors weren’t enabled before the upgrade. To deactivate Okta Verify in your org, go to Security > Multifactor > Factor Types. Select Okta Verify, and then click Deactivate.

Related topics

Migrate Device Trust to Okta FastPass

Limitations