Phishing-resistant authentication
Phishing-resistant authentication detects and prevents the disclosure of sensitive authentication data to fake applications or websites. WebAuthn (FIDO 2) and Okta FastPass (a verification option in Okta Verify) are phishing-resistant authenticators that prevent email, SMS, and social media phishing attacks. They don’t protect against attacks when the computer or network is already compromised.
Procedure
To ensure that users sign in with phishing-resistant factor types, follow these steps:
-
Set up WebAuthn (FIDO 2) and Okta Verify.
-
If you use Okta FastPass for iOS or macOS managed devices, configure an SSO extension profile.
-
Configure authenticator enrollment policies for Okta FastPass and WebAuthn. See Create an authenticator enrollment policy.
-
Configure authentication policies that require a phishing-resistant possession factor: WebAuthn (FIDO 2) or Okta FastPass. See Add an authentication policy rule.
User experience
If phishing attempts occur when users authenticate with Okta FastPass, the events are recorded in the System Log. A message flags the authentication failure: FastPass declined phishing attempt.
When users access resources protected by a policy that requires phishing resistance, they can authenticate with WebAuthn or Okta FastPass. If Okta FastPass isn't supported, users are prompted to sign in with WebAuthn.
Phishing-resistant authentication on managed devices
For managed devices, authentication with Okta FastPass or WebAuthn is phishing resistant on all supported operating systems when users access their apps directly or from a supported browser.
On managed Windows devices, authentication with Okta FastPass or WebAuthn is phishing resistant only if users access the apps from a supported browser.
| Operating system | Supported browsers | Native apps |
|---|---|---|
| Android | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| iOS | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| macOS | Okta FastPass or WebAuthn* | Okta FastPass or WebAuthn |
| Windows | Okta FastPass or WebAuthn | Okta FastPass** or WebAuthn |
* For Safari browsers, you must configure an SSO extension to ensure phishing-resistant authentication.
** For Universal Windows Platform applications, you must run a script.
Phishing-resistant authentication on unmanaged devices
For unmanaged devices, authentication with Okta FastPass or WebAuthn is phishing resistant on all supported operating systems when users access their apps from a supported browser.
If users access Android or iOS apps directly, authentication with Okta FastPass or WebAuthn is phishing resistant.
If users access macOS apps on unmanaged devices, they must authenticate with WebAuthn to satisfy the phishing-resistance requirement.
When users try to authenticate with Okta FastPass or WebAuthn to access Windows apps on unmanaged devices, the phishing resistance requirement isn't satisfied. Therefore, Okta denies access.
| Operating system | Supported browsers | Native apps |
|---|---|---|
| Android | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| iOS | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| macOS | Okta FastPass* or WebAuthn | WebAuthn |
| Windows | Okta FastPass or WebAuthn | No phishing-resistant authentication** |
* For Safari browsers on macOS, Okta FastPass isn't supported as a phishing-resistant authenticator due to the SSO extension requirement, which is only available for managed devices.
** Access is denied.