Configure a FIDO2 (WebAuthn) authenticator

The FIDO2 (WebAuthn) authenticator lets you use a biometric method to authenticate. This authenticator supports two authentication methods:

  • Security keys, such as YubiKey or Google Titan.
  • Platform authentication that's integrated into a device and uses biometric data, such as Windows Hello or Apple Touch ID.

This authenticator also lets you manage which FIDO2 (WebAuthn) authenticators are allowed in your org for new enrollments, authentication enrollment policies, and user verification.

FIDO2 (WebAuthn) follows the FIDO2 Web Authentication (WebAuthn) standard. After you enable this authenticator, end users can select it when they sign in to Okta or use it for additional authentication.

To set up and manage YubiKeys to use the one-time password (OTP) mode, see Configure YubiKey OTP for one-time passwords.

Add FIDO2 (WebAuthn) as an authenticator

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the FIDO2 (WebAuthn) tile.
  4. Select a User Verification setting:
    • Discouraged: Users aren't prompted for User Verification when they enroll in a FIDO2 (WebAuthn) authenticator. This is the default setting to provide a consistent experience for end users signing in from various operating systems.
    • Preferred: Users are prompted for User Verification if they enroll in a FIDO2 (WebAuthn) authenticator that supports it.
    • Required: Users are always prompted for User Verification when they enroll in a FIDO2 (WebAuthn) authenticator. The authenticator that the user is enrolling in must support User Verification. Use this setting for authenticators that require User Verification, like FIDO2 (WebAuthn) with Touch ID.
  5. Click Add.

Okta recommends the following backup measures:

  • Encourage your end users to add additional authenticators that aren't bound to a specific device. If the user only has one authenticator set up and it's on their mobile phone, they can't complete authentication if the phone is lost.
  • Encourage your end users to create FIDO2 (WebAuthn) enrollments in multiple browsers and on multiple devices. If the user only sets up one security key or biometric authenticator in one browser, they can't complete authentication if the browser blocks the security key or biometric authenticator, or if the device is lost.

View the list of Okta-recognized WebAuthn authenticators

This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features.

Search the list of authenticators to see which ones are supported by Okta, their type, FIPS compliance status, and hardware protection status. This list is provided by the FIDO Metadata Service.

You must add FIDO2 (WebAuthn) as an authenticator before you can view the list of authenticators.

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Actions in the FIDO2 (WebAuthn) row and then select Edit.
  3. Select the Authenticator settings tab.
  4. Click View list of Okta-recognized authenticators.
  5. To search for a specific Okta-recognized authenticator, click in the search field and start typing the authenticator name or Authenticator Attestation Global Unique Identifier (AAGUID) number.
  6. If the authenticator you're searching for isn't in the list, click the Learn to register an authenticator with FIDO link at the top of the page.

Add an authenticator group

You must add FIDO2 (WebAuthn) as an authenticator before you can create an authenticator group.

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Actions in the FIDO2 (WebAuthn) row and select Edit.
  3. Select the Authenticator settings tab.
  4. Click Add authenticator group.
  5. Enter the name of the group in Authenticator group name.
  6. Click inside FIDO2 (WebAuthn) authenticators in this group and select the authenticator you want to add to the group. You can also start typing the authenticator name or AAGUID number to filter the list. The authenticator appears in the field.
  7. Click inside FIDO2 (WebAuthn) authenticators in this group again to add another authenticator to the group. You can select it from the list or start typing its name or AAGUID number.
  8. If you add an authenticator by mistake, click the X beside the authenticator name in FIDO2 (WebAuthn) authenticators in this group to remove it.

Edit an authenticator group

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Actions in the FIDO2 (WebAuthn) row and then select Edit.
  3. Select the Authenticator settings tab.
  4. Find the authenticator in the Authenticator groups list.
  5. Click Actions, then select Edit.
  6. Edit the name of the authenticator group, or click inside FIDO2 (WebAuthn) authenticators in this group and add or remove authenticators from the list.

Delete an authenticator group

Before you can delete an authenticator group, you must remove it from all authentication enrollment policies that include it. See Delete an authenticator group from an authentication enrollment policy.

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Actions in the FIDO2 (WebAuthn) row and select Edit.
  3. Select the Authenticator settings tab.
  4. Find the authenticator in the Authenticator groups list.
  5. Click Actions, then select Delete.

Delete an authenticator group from an authentication enrollment policy

Before you can delete an authenticator group, you must remove it from all authentication enrollment policies that include it. See Create an authentication enrollment policy for more information.

  1. In the Admin Console, go to Security > Authenticators.
  2. Click the Enrollment tab.
  3. Select a policy from the list and find the FIDO2 (WebAuthn) in the Eligible authenticators list.
  4. If you see Authenticators from selected group list under FIDO2 (WebAuthn), click Edit.
  5. In the FIDO2 (WebAuthn) section, select one of these options:
    • Any WebAuthn authenticators: Allow your users to authenticate with any FIDO2 (WebAuthn) authenticator.
    • Authenticators from selected group list: Click the x beside the name of an authenticator in the list to delete it.
  6. Click Update policy.
  7. Examine each policy to find the ones that use the authenticator group you want to remove and repeat this procedure.

Enroll a FIDO2 security key for a user

Admins can enroll a security key on behalf of a user whose name appears in the Okta Directory.

  1. In the Admin Console, go to Directory > People.
  2. Enter the user's name in the search field, and then click Enter. Or, click Show all users, find the user in the list, and click the user's name.
  3. In the More Actions menu, select Enroll FIDO2 Security Key.
  4. Click Register. The Verify your identity prompt appears in your browser.
  5. Select the USB security key option and follow the prompts in your browser.
  6. When the Allow this site to see your security key? prompt appears, click Allow.
  7. Click Close or Register another.

Browser-specific considerations

  • The FIDO2 (WebAuthn) authenticator may not function correctly using the Safari browser on Apple Macintosh computers running on the Apple M1 processor.
  • On Google Chrome browsers, the FIDO2 (WebAuthn) authenticator isn't usable if the browser requires an update. FIDO2 (WebAuthn) functionality is restored when you restart the browser after applying the update.

End-user experience

When enrolling a WebAuthn Security Key or Biometric authenticator, users are prompted to allow Okta to collect information about that particular enrolled authenticator. This allows each FIDO2 (WebAuthn) authenticator to appear by name in the Extra Verification section of the user's Settings page.

If a user is only enrolled in the FIDO2 (WebAuthn) authenticator, they risk being unable to authenticate into their account if something goes wrong with their FIDO2 (WebAuthn) authenticator or device.

FIDO2 (WebAuthn) authenticator enrollments, such as Touch ID, are attached to a single browser profile on a single device. If users want to use a FIDO2 (WebAuthn) authenticator on multiple browsers or devices, advise them that they must create a new FIDO2 (WebAuthn) enrollment in each browser and on each device. If they have multiple Google account profiles in the Google Chrome browser, they must also create a new FIDO2 (WebAuthn) enrollment for each of those Google account profiles.

In addition, if you enable the FIDO2 (WebAuthn) authenticator on your *.okta.com URL, the FIDO2 (WebAuthn) authenticator only allows access to your org using your *.okta.com URL. If you enable the FIDO2 (WebAuthn) authenticator using the custom URL for your Okta org, the FIDO2 (WebAuthn) authenticator only allows access to your org through that custom URL. To allow your users to access your org through both URLs, you must enable the FIDO2 (WebAuthn) authenticator in both URLs.

Passkey Management

Passkeys are an implementation of the FIDO2 standard in which the FIDO credential may exist on multiple devices. Passkeys enable WebAuthn credentials to be backed up and synchronized across devices. This preserves the strong key-based/non-phishable authentication model of WebAuthn/FIDO while trading off some enterprise security features, such as device-bound keys and attestations, that are available with some WebAuthn authenticators. Users no longer need to carry their security key or phone to pass multifactor authentication challenges. Instead, they can use any device they have already enrolled to authenticate themselves because their credential isn't confined to a single device.

In managed-device environments, users may be able to enroll unmanaged devices with a passkey credential and use these devices to gain access to corporate systems. Okta allows admins to block the use of passkeys for new FIDO2 (WebAuthn) enrollments for their entire org. When this feature is turned on, users aren't able to enroll new, unmanaged devices using pre-registered passkeys.

Block the use of passkeys

  1. In the Admin Console, go to Settings > Features.

  2. Click the toggle switch for the Block Passkeys for FIDO2 (WebAuthn) Authenticators option.

When you block the use of passkeys in your org, users running macOS Monterrey can't enroll in Touch ID using the Safari browser.

In addition, when you block the use of passkeys, iPhone users running iOS 16 on their devices can't use the FIDO2 (WebAuthn) authentication. If you need to block the use of passkeys, Okta recommends that you enable Okta FastPass or security keys that support NFC or USB-C. Enrollments of devices running iOS 16 are supported after you block the use of passkeys for non-passkey uses.

Related topics

Configure YubiKey OTP for one-time passwords

Configure the Email authenticator

Configure the Password authenticator

Configure the Phone authenticator

Configure the Security Question authenticator

FIDO2 (WebAuthn) compatibility

Require phishing-resistant authenticator to enroll additional authenticators