Configure the Smart Card authenticator
The Smart Card authenticator allows users to authenticate using their Smart Card. The factor type and method characteristics of this authenticator depend on the options that you select for Security characteristics when configuring the Smart Card Identity Provider(IdP).
Select from the PIN protected and Hardware protected options based on the configuration of the smart cards that your org uses. This determines how the Smart Card authenticator behaves:
| Option selected | Factor type | Method characteristics |
|---|---|---|
| No option selected | Possession | Device-bound
Phishing-resistant User presence |
| Only Hardware protected | Possession | Device-bound Hardware-protected Phishing-resistant User presence |
| Only PIN protected | Possession + Knowledge | Device-bound
Phishing-resistant User presence User verifying |
| Both PIN protected and hardware protected | Possession + Knowledge | Device-bound
Hardware-protected Phishing-resistant User presence User verifying |
Before you begin
Add the Smart Card authenticator
- In the Admin Console, go to .
-
On the Setup tab, click Add Authenticator.
- Click Add on the Smart Card Authenticator tile.
- From the Smart Card Identity Provider (IdP) dropdown menu, select all IdPs that you want to associate with this authenticator.
- Click Add. The authenticator appears in the list on the Setup tab.
Add Smart Card to authenticator enrollment policy
In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.
Edit or delete the Smart Card authenticator
Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.
- In Authenticators, go to the Setup tab.
- Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.
Allow multiple identities on one Smart Card
An end user can use one Smart Card to identify as different identities and authenticate into corresponding accounts. When the end user clicks the Sign in with PIV/CAC button, Okta prompts them to choose their certificate. After Okta verifies the selected certificate, a dropdown menu of available user accounts appears. The user then selects the identity that they want to sign in to and the authentication flow continues.
For this feature to work, you must map Smart Cards to the user accounts using the same attributes.
- Go to .
- In the Smart Card IdP, go to the User Matching section. Confirm that the values used for IdP username and Match against are the same for all users.
- Select the checkbox to Allow multiple identities matching the criteria. This allows one Smart Card to be matched with multiple Okta users that fit your criteria. The authentication fails if the checkbox isn't selected and multiple matching users are found.
End-user experience
There are multiple ways users can enroll their Smart Card as an authenticator:
- During the sign-in process, they click the Sign-in with PIV/CAC button and follow the instructions to enroll the Smart Card.
- During the step-up authentication, they identify themselves in the Sign-In Widget and get prompted to enroll a Smart Card.
- They enroll the Smart Card through .
Enroll multiple Smart Cards
Users can have multiple active Smart Cards at a time. They can enroll different Smart Cards for different IdPs associated with the Smart Card authenticator. If they lose their Smart Card, they must remove it from their account and enroll a new one.
Use Smart Card for verification
You can require a Smart Card when the user signs in or accesses a protected app. They must perform the Smart Card verification within the time period you've configured. If they don't, the operation times out and they must authenticate again.
Sign in with Smart Card or Okta FastPass
Early Access release. See Enable self-service features.
Currently, if you configured both the Sign in with Okta FastPass button and Smart Card as an authenticator, users only see the Smart Card option when they sign in. By enabling this feature, you can make both options available for users during the sign-in process.