Configure a FIDO2 (WebAuthn) authenticator

The FIDO2 (WebAuthn) authenticator lets you use a biometric method, such as fingerprint reading, to authenticate. This authenticator supports two authentication methods:

  • Security keys, such as YubiKey or Google Titan.
  • Platform authentication that's integrated into a device and uses biometric data, such as Windows Hello or Apple Touch ID.

FIDO2 (WebAuthn) follows the FIDO2 Web Authentication (WebAuthn) standard. After this authenticator is enabled, end users can select it when signing in and use it for additional authentication.

To set up and manage YubiKeys to use the one-time password (OTP) mode, see Configure YubiKey OTP for one-time passwords.

Add WebAuthn (FIDO2) as an authenticator

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the FIDO2 (WebAuthn) tile.
  4. Select a User Verification setting:
    • Discouraged (default): Users aren't prompted for User Verification when they enroll in a FIDO2 (WebAuthn) authenticator. This is the default setting to provide a consistent experience for end users signing in from various operating systems.
    • Preferred: Users are prompted to provide User Verification when they enroll in the authenticator if the authenticator supports, but doesn't require, User Verification.
    • Required: Users are always prompted to provide User Verification when they enroll in a FIDO2 (WebAuthn) authenticator. The authenticator that the user is enrolling in must support User Verification.

      The settings Discouraged and Preferred work only on authenticators that support, but don't require, User Verification. For authenticators that always require User Verification, such as FIDO2 (WebAuthn) with Touch ID, Discouraged and Preferred have no effect.

  5. Click Add.

Encourage your end users to also add authenticators that aren't bound to a specific device as a backup measure. If an end user only has one authenticator set up and it's on their mobile phone, they can't complete authentication or use an alternate method if the phone is lost. See MFA factor configuration.

Enroll a FIDO2 security key for a user

Admins can enroll a security key on behalf of a user whose name appears in the Okta Directory.

  1. In the Admin Console, go to Directory > People.
  2. Click in the search field, enter some characters from the user's name, and press Enter. Or, click Show all users, find the user in the list, and click the user's name. The page for that user appears.
  3. From the More Actions menu, select Enroll FIDO2 Security Key. The Enroll FIDO2 Security Key dialog appears.
  4. Click Register. The Verify your identity prompt appears in your browser.
  5. Select the USB security key option and follow the prompts in your browser.
  6. When the Allow this site to see your security key? prompt appears, click Allow.
  7. Click Close or Register another.

Current limitations

  • Hardware protection is supported but dependent on the device and its implementation.
  • The determination that hardware protection was used isn't supported.
  • You can't enroll the FIDO2 (WebAuthn) authenticator on behalf of your end users.
  • The FIDO2 (WebAuthn) authenticator may not function correctly using the Safari browser on Apple Macintosh computers running on the Apple M1 processor.
  • On Google Chrome browsers, the FIDO2 (WebAuthn) authenticator isn't usable if the browser requires an update. FIDO2 (WebAuthn) functionality is restored when you restart the browser after applying the update.

End-user experience

If this authenticator is enabled, end users can select it when signing in and set it up so it can be used for additional authentication. Depending on your configuration, end users may also be required to provide User Verification. This verification can include a biometric challenge, PIN, or password in addition to tapping the device.

When enrolling a WebAuthn Security Key or Biometric authenticator, users are prompted to allow Okta to have information about that particular enrolled authenticator. This allows each FIDO2 (WebAuthn) authenticator to appear by name in the Extra Verification section of the user's Settings page.

If a user is only enrolled in the FIDO2 (WebAuthn) authenticator, they risk being unable to authenticate into their account if something goes wrong with their FIDO2 (WebAuthn) authenticator or device. To mitigate this risk, encourage users to set up other MFA authenticators, in addition to FIDO2 (WebAuthn), that aren't bound to a particular device, and to create multiple WebAuthn enrollments in multiple browsers and on multiple devices, to ensure that they can always access their Okta account in the event that one of their devices malfunctions, or is lost or stolen.

FIDO2 (WebAuthn) authenticator enrollments, such as Touch ID, are attached to a single browser profile on a single device.

If users want to use a FIDO2 (WebAuthn) authenticator on multiple browsers or devices, advise them that they must create a new WebAuthn enrollment in each browser, and on each device, in which they want to use the authenticator.

For example, if a user has Google Chrome and Firefox browsers on a Microsoft Windows computer, and Google Chrome and Safari browsers on an Apple Macintosh computer, they must create a new WebAuthn enrollment in each of those four browsers.

If they have multiple Google account profiles in the Google Chrome browser, they must also create a new WebAuthn enrollment for each of those Google account profiles.

Passkey Management

Passkeys are an implementation of the FIDO2 standard in which the FIDO credential may exist on multiple devices, such as on phones, tablets or laptops, and across multiple operating system platforms. Passkeys enable WebAuthn credentials to be backed up and synchronized across devices. This preserves the strong key-based/non-phishable authentication model of WebAuthn/FIDO while trading off some enterprise security features, such as device-bound keys and attestations, that are available today with some WebAuthn authenticators. Users no longer need to carry their security key or phone to pass multifactor authentication challenges. Instead, they can use any device they have already enrolled to authenticate themselves because their credential isn't confined to a single device.

In managed-device environments, users may be able to enroll unmanaged devices to a passkey credential and use such devices to gain access to corporate systems. Okta allows admins to block the use of passkeys for new FIDO2 (WebAuthn) enrollments for their entire org. When this feature is turned on, users won't be able to enroll new, unmanaged devices using pre-registered passkeys. Admins can ensure that security policies are enforced on managed devices and address the risk of unmanaged and potentially compromised devices accessing corporate systems.

When you turn this feature on, that is, block the use of passkeys in your org, users running macOS Monterrey won't be able to enroll in Touch ID using the Safari browser.

Block the use of passkeys

This feature is off by default. Turn this feature on and block the use of passkeys in your org:

  1. In the Admin Console, go to Settings > Features.

  2. Click the toggle switch for the Block Passkeys for FIDO2 (WebAuthn) Authenticators option. The toggle switch turns blue.

Allow the use of passkeys

This is the default setting. Turn this feature off and allow the use of passkeys in your org:

  1. In the Admin Console, go to Settings > Features.

  2. Click the toggle switch for the Block Passkeys for FIDO2 (WebAuthn) Authenticators option. The toggle switch turns gray.

WebAuthn, browser and Okta compatibility

Okta testers have tested browser and WebAuthn implementations to determine which ones are compatible with Okta. See FIDO2 (WebAuthn) compatibility for details.

Related topics

Configure YubiKey OTP for one-time passwords

Configure the Email authenticator

Configure the Password authenticator

Configure the Phone authenticator

Configure the Security Question authenticator

FIDO2 (WebAuthn) compatibility