Configure a WebAuthn (FIDO2) authenticator

The WebAuthn (FIDO2) authenticator lets you use a biometric method, such as fingerprint reading, to authenticate. This authenticator supports two authentication methods:

  • Security keys, such as YubiKey or Google Titan.
  • Platform authentication that's integrated into a device and uses biometric data, such as Windows Hello or Apple Touch ID.

WebAuthn (FIDO2) follows the FIDO2 Web Authentication (WebAuthn) standard. After this authenticator is enabled, end users can select it when signing in and use it for additional authentication.

To set up and manage YubiKeys to use the one-time password (OTP) mode, see Configure YubiKey for one-time passwords.

Add WebAuthn (FIDO2) as an authenticator

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the WebAuthn (FIDO2) tile.
  4. Select a User Verification setting:
    • Discouraged (default): Users aren't prompted for User Verification when they enroll in a WebAuthn (FIDO2) authenticator. This is the default setting to provide a consistent experience for end users signing in from various operating systems.
    • Preferred: Users are prompted to provide User Verification when they enroll in the authenticator if the authenticator supports, but doesn't require, User Verification.
    • Required: Users are always prompted to provide User Verification when they enroll in a WebAuthn (FIDO2) authenticator. The authenticator that the user is enrolling in must support User Verification.

      The settings Discouraged and Preferred work only on authenticators that support, but don't require, User Verification. For authenticators that always require User Verification, such as WebAuthn (FIDO2) with Touch ID, Discouraged and Preferred have no effect.

  5. Click Add.

Encourage your end users to also add authenticators that aren't bound to a specific device as a backup measure. If an end user only has one authenticator set up and it's on their mobile phone, they can't complete authentication or use an alternate method if the phone is lost. See MFA factor configuration.

Current limitations

  • Hardware protection is supported but dependent on the device and its implementation.
  • The determination that hardware protection was used is not supported.
  • You can't enroll the WebAuthn (FIDO2) authenticator on behalf of your end users.
  • The WebAuthn (FIDO2) authenticator may not function correctly using the Safari browser on Apple Macintosh computers running on the Apple M1 processor.
  • On Google Chrome browsers, the WebAuthn authenticator isn't usable if the browser requires an update. WebAuthn functionality is restored when you restart the browser after applying the update.

End-user experience

If this authenticator is enabled, end users can select it when signing in and set it up so it can be used for additional authentication. Depending on your configuration, end users may also be required to provide User Verification. This verification can include a biometric challenge, PIN, or password in addition to tapping the device.

When enrolling a WebAuthn Security Key or Biometric authenticator, users are prompted to allow Okta to have information about that particular enrolled authenticator. This allows each WebAuthn authenticator to appear by name in the Extra Verification section of the user's Settings page.

If a user is only enrolled in the WebAuthn factor, they risk being unable to authenticate into their account if something goes wrong with their WebAuthn factor or device. To mitigate this risk, encourage users to set up other MFA factors, in addition to WebAuthn, that aren't bound to a particular device, and to create multiple WebAuthn enrollments in multiple browsers and on multiple devices, to ensure that they can always access their Okta account in the event that one of their devices malfunctions, or is lost or stolen.

WebAuthn authenticator enrollments, such as Touch ID, are attached to a single browser profile on a single device.

If users want to use a WebAuthn authenticator on multiple browsers or devices, advise them that they must create a new WebAuthn enrollment in each browser, and on each device, in which they want to use the authenticator.

For example, if a user has Google Chrome and Firefox browsers on a Microsoft Windows computer, and Google Chrome and Safari browsers on an Apple Macintosh computer, they must create a new WebAuthn enrollment in each of those four browsers.

If they have multiple Google account profiles in the Google Chrome browser, they must also create a new WebAuthn enrollment for each of those Google account profiles.

WebAuthn, browser and Okta compatibility

Okta testers have tested browser and WebAuthn implementations to determine which ones are compatible with Okta. See WebAuthn compatibility for details.

Related topics

Configure YubiKey for one-time passwords

Configure the Email authenticator

Configure the Password authenticator

Configure the Phone authenticator

Configure the Security Question authenticator

WebAuthn compatibility