Require phishing-resistant authenticator to enroll additional authenticators

When a user is onboarded onto Okta for the first time, depending on how their admin has configured the authentication enrollment policy and the authentication policy, they might be prompted to enroll in at least two authenticators. They may also be prompted for inline multifactor authentication (MFA) enrollment if they sign directly into an app and the authenticators required to meet the assurance requirements of that app are not already enrolled. After this, when the user enrolls additional authenticators, Okta performs additional checks to make sure the user can satisfy assurance requirements. If a user has already enrolled in two authenticators, and those authenticators satisfy assurance requirements, such as the need to provide proof of possession, inherence, or knowledge, then the user may enroll in the additional authenticators. In some cases, certain authenticators, such as FIDO2 (WebAuthn), might satisfy multiple assurance requirements and the user only needs to authenticate with that one authenticator before enrolling in additional authenticators. For more information on authenticators and their factor types and method characteristics, see Multifactor Authentication and About MFA authenticators.

Admins may also require that the authenticators that users enroll in during onboarding is a phishing-resistant authenticator, such as FIDO2 (WebAuthn) (biometric and security key-based verification) and Okta FastPass. When admins turn on Require phishing-resistant authenticator to enroll additional authenticators, users must first verify their identity using a phishing-resistant authenticator before they can enroll in additional authenticators.

FIDO2 (WebAuthn) and Okta FastPass are phishing-resistant because there is no information, such as a password or a one-time password in a text message or authentication app, that a user can give to someone else. Requiring the use of a phishing-resistant authenticator for user authentication in order to add additional authenticators means that you can be assured that the user verification process is safe from phishing attempts.

Require phishing-resistant authenticators for new MFA enrollments

When you perform this procedure, users will be prompted during onboarding to Okta to enroll in the phishing-resistant authenticators first, before they can enroll in any other authenticators.

  1. Activate the FIDO2 (WebAuthn) authenticator. See Configure a FIDO2 (WebAuthn) authenticatorfor instructions.

  2. Activate the Okta Verify authenticator and enable Okta FastPass. See Configure the Okta Verify authenticator and Configure Okta Verify options for instructions.

  3. Create an authentication enrollment policy. See Create an authentication enrollment policy for instructions.

  4. In the Eligible authenticators list, select Required for the FIDO2 (WebAuthn) and/or Okta Verify authenticators.

  5. Configure an authentication policy rule. See Configure an authentication enrollment policy rule for instructions.

  6. In the Admin Console, go to Settings > Features.

  7. Click the toggle switch for Require phishing-resistant authenticator to enroll additional authenticators to turn it on.

End-user experience

Enroll in a phishing-resistant authenticator during onboarding to Okta

When Require phishing-resistant authenticator to enroll additional authenticators is activated, users must enroll in a phishing-resistant authenticator the first time they enroll in MFA, during onboarding to Okta, or the next time they sign in to Okta.

Then they may enroll in the other authenticators that their admin has enabled for them; users will be required to authenticate with the phishing-resistant authenticator when they enroll in the additional authenticators.

Okta recommends that users enroll a roaming authenticator, such as a FIDO2 (WebAuthn) security key, as their first phishing-resistant authenticator because this makes it possible to enroll additional laptops, desktops, and mobile devices, at a later time. If a user enrolls in Okta FastPass, they may only use this authenticator to enroll additional mobile devices, not laptops or desktops.

See Configure a FIDO2 (WebAuthn) authenticator and Okta FastPass for instructions on enrolling in these authenticators.

Enroll in MFA on another laptop or desktop

When a user attempts to enroll in MFA on another device, the user may only use a security key or Okta FastPass to verify their identity on the other laptop or desktop. If they use a security key, it must be the same security key they used when they first enrolled in their phishing-resistant authenticator on their first device.

If a user doesn’t enroll in a roaming authenticator, such as a security key, they may not be able to complete enrollment on other devices, depending on the device type.

After they pass the identity verification with their security key or Okta FastPass, Okta presents the other authenticators that their admin has enabled for them, and they enroll in their authenticators in the usual way.

For instructions on enrolling in authenticators, see Multifactor Authentication, and select the authenticator you want to enroll in.

Enroll in Okta FastPass on a mobile device

This procedure describes how users enroll in Okta FastPass on a mobile device when Require phishing-resistant authenticator to enroll additional authenticators is turned on and when the user hasn’t enrolled a roaming authenticator for themselves.

  1. On your first device (usually your primary laptop or desktop), enroll in Okta FastPass during onboarding onto Okta. See Enable Okta FastPass for instructions.

  2. On the same device, sign in to the Okta Dashboard. Click your name and select Settings.

  3. In the Security Methods section, click Set up another for Okta Verify.

  4. Authenticate with Okta FastPass or FIDO2 (WebAuthn).

  5. On your mobile device, enroll in other authenticators as required. You will be prompted to authenticate with your phishing-resistant authenticator before you can add the additional authenticators.

Considerations

  • If a user isn’t enrolled in a phishing-resistant authenticator and Require phishing-resistant authenticator to enroll additional authenticators is activated for their org, they will still be able to enroll in additional authenticators using their existing authenticators to verify their identity.

  • If Require phishing-resistant authenticator to enroll additional authenticators is enabled for an org but the admin hasn’t activated the FIDO2 (WebAuthn) or Okta FastPass authenticators, users will still be able to enroll in additional authenticators using their existing authenticators to verify their identity.

Related topics

Configure a FIDO2 (WebAuthn) authenticator

Okta FastPass

Multifactor Authentication

About MFA authenticators