Configure the Smart Card authenticator

The Smart Card authenticator allows users to authenticate using their Smart Card. The factor type and method characteristics of this authenticator depend on the options that you select for Security characteristics when configuring the Smart Card Identity Provider(IdP).

Select from the PIN protected and Hardware protected options based on the configuration of the smart cards that your org uses. This determines how the Smart Card authenticator behaves:

Option selected Factor type Method characteristics
No option selected Possession Device-bound


User presence

Only Hardware protected Possession Device-bound



User presence

Only PIN protected Possession + Knowledge Device-bound


User presence

User verifying

Both PIN protected and hardware protected Possession + Knowledge Device-bound



User presence

User verifying

Before you begin

Add a Smart Card IdP.

Add the Smart Card authenticator

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the Smart Card Authenticator tile.
  4. From the Smart Card Identity Provider (IdP) dropdown menu, select all IdPs that you want to associate with this authenticator.
  5. Click Add. The authenticator appears in the list on the Setup tab.

Add Smart Card to authenticator enrollment policy

In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the Smart Card authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

End-user experience

There are multiple ways users can enroll their Smart Card as an authenticator:

  1. During the sign-in process, they click the Sign-in with PIV/CAC button and follow the instructions to enroll the Smart Card.
  2. During the step-up authentication, they identify themselves in the Sign-In Widget and get prompted to enroll a Smart Card.
  3. They enroll the Smart Card through End-User DashboardSettings.

Enroll multiple Smart Cards

Users can have multiple active Smart Cards at a time. They can enroll different Smart Cards for different IdPs associated with the Smart Card authenticator. If they lose their Smart Card, they must remove it from their account and enroll a new one.

Use Smart Card for verification

You can require a Smart Card when the user signs in or accesses a protected app. They must perform the Smart Card verification within the time period you've configured. If they don't, the operation times out and they must authenticate again.

Sign in with Smart Card or Okta FastPass

Early Access release. See Manage Early Access and Beta features.

Currently, if you configured both the Sign in with Okta FastPass button and Smart Card as an authenticator, users only see the Smart Card option when they sign in. By enabling this feature, you can make both options available for users during the sign-in process.

Related topics

Multifactor authentication