Okta FastPass FAQ
Reference the following frequently asked questions (FAQs) to find answers to your Okta FastPass questions:
-
The device is registered (enrolled in Okta Verify).
-
A user profile associated with the device is managed by a device management solution.
-
The device is configured for device management in . Ensure that this is completed before the user authenticates with Okta FastPass.
-
The user authenticated with Okta FastPass from the managed device at least once.
- Silent authentication (authenticate without user verification), to satisfy 1FA, or
- Silent authentication and user verification, to satisfy 2FA.
- Silent authentication (authenticate without user verification), to satisfy 1FA, or
- Silent authentication and user verification, to satisfy 2FA.
Can I use Okta FastPass to sign in to my computer?
No.Can I use Okta FastPass without Okta Verify?
No.
Do users require the latest version of Okta Verify to use Okta FastPass?
Yes. Users must install the latest version of Okta Verify and set up an account to enroll the device in Okta.
How do end users get Okta Verify? Why do they have to enroll with Okta Verify for Okta FastPass?
As an admin, you can deploy Okta Verify to devices as a managed app. Then, you can ask users to set up an account. When users add an account in Okta Verify, the device is registered in the Okta Universal Directory. Okta Verify detects the presence of management certs on the device, to attest that a device is managed or trusted.
See Okta Verify for Windows, Okta Verify for macOS, Okta Verify for iOS, and Okta Verify for Android to learn more about the enrollment experience, and see Device registration to learn more about the device registration process.
Why is the device status Not managed although I set up device integration?
Devices are managed if they meet these conditions:
Okta uses the term user verification to reference biometrics. User verification includes facial recognition and fingerprint.
Can facial recognition or fingerprint be used with Okta FastPass?
Yes. With Okta FastPass, users can use:
Okta uses the term user verification to reference biometrics. User verification includes facial recognition and fingerprint.
Are end users forced to use biometrics with Okta FastPass?
User verification (biometrics) is a configurable option. Admins can set user verification to Preferred or Required. This is only enforced on enrollment. Admins can't enforce user verification during authentication using Okta FastPass.
See Enable Okta FastPass.
What happens if biometrics is required with Okta FastPass, but not available on the device?
If a device doesn't support biometrics and the organization requires it, the user can't add an account to Okta Verify, or use Okta Verify for authentication on that device.
If a user has biometrics set up with Okta FastPass, can they also enroll using a passcode?
Pin fallback isn't allowed on Windows, macOS, iOS, or Android devices.
Can I enforce Push on Okta Verify if the end user doesn’t provide biometrics?
Admins can't configure the authentication policy to specifically enforce push notifications on Okta Verify, but they can ask for a possession factor. The possession factor requirement can be satisfied with an Okta Verify push notification, sending a one-time password to email, Okta FastPass without user verification, or SMS.
See Configure an authentication policy for passwordless authentication with Okta FastPass.
Is Okta FastPass supported on Linux Desktops or Chromebooks?
For desktop platforms, Okta FastPass is only supported on Windows and macOS. For mobile, Okta FastPass is available on iOS, and Android.
How does Okta Verify know if a device is trusted?
When a user attempts to access an app, if the app requires device context, the Okta Sign-In Widget sends a challenge to Okta Verify. Okta Verify responds to the Okta Sign-In Widget with the required signals.
Are unmanaged devices supported with Okta FastPass, or is device management required?
Okta FastPass doesn't require devices to be managed. All functionality works on devices that are managed and unmanaged. Users with unmanaged devices must install the latest version of Okta Verify and enroll (add an account to Okta Verify) before they can use Okta FastPass. The management state is a signal that is passed for policy decisions.
What happens when I disable Okta FastPass?
When you disable Okta FastPass, users can't sign in with Okta FastPass, but they can still sign in with other authenticators that satisfy assurance.
When you clear the Okta FastPass (all platforms) checkbox to disable Okta FastPass, any authentication policy with a device condition can no longer be evaluated. This can result in unexpected behavior.
See Disable Okta FastPass, and Configure Okta FastPass.
Is it correct that Okta FastPass can't lock users out of their computers?
Okta FastPass doesn't protect access to the device or operating system.
Does Okta FastPass support Yubikeys?
No. Okta FastPass is an authentication method, similar to Yubikey. Yubikey provides extra compliance benefits at the cost of user experience. You can configure Okta assurance policies to require both Okta FastPass and Yubikey, or require Yubikey only for apps.
Is Okta FastPass FIDO-compatible? Is it a factor?
Okta FastPass is not compatible with Fast Identity Online (FIDO). Okta FastPass is one authentication factor available with the Okta Verify authenticator app. Okta FastPass without user verification (biometrics) satisfies 1FA, and Okta FastPass with user verification satisfies 2FA. Okta supports FIDO WebAuthn outside of Okta Verify.
Can I configure Okta FastPass for specific authentication policies or is it a global configuration?
Once you enable Okta FastPass at the organization level, all users in the organization are able to use Okta FastPass. However, you can configure each authentication policy to specify if Okta FastPass can be used for the app.