Customize the Passkeys (FIDO2 WebAuthn) end-user experience
If a user hasn't enrolled a Passkeys (FIDO2 WebAuthn) authenticator, Okta prompts them to do so the next time they sign in. For the biometric method, they're prompted to do a fingerprint or facial recognition scan. For the security key method, they're prompted to insert their security key to complete the enrollment. Prompts guide the user through the process.
When users enroll a WebAuthn security key or biometric authenticator, they're prompted to allow Okta to collect information about the authenticator they're enrolling. Users must allow Okta to see the make and model of the security key. This allows each Passkeys (FIDO2 WebAuthn) authenticator to appear by name in the Extra Verification section of the user's Settings page.
Once enrolled, users can select Passkeys (FIDO2 WebAuthn) to authenticate their sign-in. They're prompted to do a fingerprint or facial recognition scan, or insert their security key. Prompts guide the user through the process. Users can configure a maximum of 10 Passkeys (FIDO2 WebAuthn) enrollments.
Customize the authenticator name and description
You can change how the Passkeys (FIDO2 WebAuthn) authenticator appears in the Sign-in Widget. You can set the authenticator name to one of the following options:
-
Passkeys
If Create passkeys is disabled, this is called Security key or biometric authenticator.
-
Custom name and description
-
Custom name field
-
Custom description field
-
To set a custom name and description for the authenticator, follow these steps:
If you use a custom name and description, you will need custom code for translations.
-
In the Authenticator name section, select Custom name and description.
-
In the Custom name field, enter a custom name for the authenticator to guide end-users during enrollments and authentication.
-
In the Custom description field, enter a description of the authenticator to display additional information to users during enrollments and authentication.
Configure the Sign in with a passkey button
Enable Show the "Sign in with a passkey" button to display the Sign in with a passkey button on the Sign-in Widget. When enabled, the button is displayed on the Sign-in Widget for all users, allowing users with an enrolled passkey to easily authenticate.
Users who don't have a passkey enrolled must authenticate with their username and an enrolled factor to add a new passkey before they can use the button.
Configure passkeys autofill
Early Access release. See Enable self-service features.
Select Enable autofill UI to enable the Passkeys Autofill feature.
To disable this feature, clear the Enable autofill UI checkbox, and then disable the feature in .
Passkeys autofill doesn't work if you're using the password-first flow in the Sign-In Widget.
After you enable this feature, users see their enrolled passkeys when they click the Username field on the sign-in page. This encourages users to use Passkeys (FIDO2 WebAuthn) to access their account, making the sign-in process more secure. It also makes the process faster as the user doesn't have to manually enter their username, select authenticators, and complete the MFA prompt.
Users can enroll a passkey in the Okta End-User Dashboard, under .
If a passkey doesn't appear in the list, the user can select the option to use a different passkey and try again.
Security keys don't automatically appear in the autofill list in the browser. The user must manually click the option to use a different passkey, insert their security key, and then follow the prompts.
Don't unenroll a preregistered security key. If the user is prompted to try a different key, they should remove the existing security key enrollment, and then re-enroll the key from the Okta End-User Dashboard.
If you disable this feature, passkeys don't appear in the Username field. Instead, users must enter their username and then select security methods when they sign in.
Mac users may need an iCloud account to use biometric passkeys on Safari and Firefox.
Passkeys autofill doesn't work if you're using the password-first flow in the Sign-In Widget.