Okta FastPass FAQ

Reference the following frequently asked questions (FAQs) to find answers to your Okta FastPass questions:

  • Can I use Okta FastPass to log in to my computer?

  • No.

  • Can I use Okta FastPass without Okta Verify?

  • No.

  • Do end users require the latest version of Okta Verify to use Okta FastPass?

  • Yes, the latest version of Okta Verify is required for Okta FastPass, and the end user must enroll (add an account) in Okta Verify.

  • How do end users get Okta Verify, and why do they need to enroll with Okta Verify for Okta FastPass?

  • As an admin, you can deploy Okta Verify to devices as a managed app and communicate with end users that they need to enroll with Okta Verify.

    Okta Verify enrollment is required for device registration and presence in Okta Universal Directory. Okta Verify detects the presence of management certs on the device, to attest that a device is managed or trusted.

    See Okta Verify for Windows, Okta Verify for macOS, Okta Verify for iOS, and Okta Verify for Android to learn more about the end user enrollment experience, and see Device registration to learn more about the device registration process.

  • Can facial recognition or fingerprint be used with Okta FastPass?

  • Yes. With Okta FastPass, users can use:

    • Silent authentication (authenticate without user verification), to satisfy 1FA, or
    • Silent authentication and user verification, to satisfy 2FA.

    Okta uses the term user verification to reference biometrics. User verification includes facial recognition and fingerprint.

  • Are end users forced to use biometrics with Okta FastPass?

  • User verification (biometrics) is a configurable option. Admins can set user verification to Preferred or Required. This is currently only enforced on enrollment. Admins cannot enforce user verification during authentication using Okta FastPass.

    See Enable Okta FastPass.

  • What happens if biometrics is required with Okta FastPass, but not available on the device?

  • If a device does not support biometrics and the organization requires it, the user won't be able to add an account to Okta Verify, or use Okta Verify for authentication on that device.

  • If an end user has biometrics set up with Okta FastPass, will there also be an option for the them to enroll using a passcode?

  • Pin fallback is not allowed on Windows, macOS, iOS, or Android devices.

  • Can I enforce Push on Okta Verify if the end user doesn’t provide biometrics?

  • Admins cannot configure the authentication policy to specifically enforce Push on Okta Verify, but they can ask for a Possession factor. The possession factor can be satisfied with Okta Verify Push, sending a one-time password to email, Okta FastPass without user verification, or SMS.

    See Configure an authentication policy for Okta FastPass .

  • Is Okta FastPass supported on Linux Desktops or Chromebooks?

  • For desktop platforms, Okta FastPass is currently only supported on Windows and macOS. For mobile, Okta FastPass is available on iOS, and Android.

  • How does Okta Verify know if a device is trusted?

  • When a user attempts to access an app, if the app requires device context, the Okta Sign-In Widget sends a challenge to Okta Verify. Okta Verify responds to the Okta Sign-In Widget with the required signals.

  • Are unmanaged devices supported with Okta FastPass, or is device management required?

  • Okta FastPass does not require device management. All functionality works on devices that are managed and not managed. Users with unmanaged devices must install the latest version of Okta Verify and enroll (add an account to Okta Verify) before they can use Okta FastPass. Management state is a signal that is passed for policy decisions.

  • What happens when I disable Okta FastPass?

  • When you disable Okta FastPass:

    • End users won't be able to log in with Okta FastPass, but they can still log in with other factors that satisfy assurance.

    • Be aware that when you clear the Okta FastPass (all platforms) checkbox to disable Okta FastPass, any authentication policy with a device condition can no longer be evaluated. This can result in unexpected behavior.

    See Disable Okta FastPass, and Configure Okta FastPass.

  • Is it correct that Okta FastPass cannot lock users out of their computers?

  • Okta FastPass does not protect access to the device or operating system.

  • Does Okta FastPass support Yubikeys?

  • No. Okta FastPass is an authentication method, similar to Yubikey. Yubikey provides additional compliance benefits at the cost of user experience. Admins can choose to provide both Okta FastPass and Yubikey using Okta assurance policies, or require Yubikey only for apps.

  • Is Okta FastPass FIDO-compatible? Is it a factor?

  • Okta FastPass is not compatible with Fast Identity Online (FIDO). Okta FastPass is one authentication factor available with the Okta Verify authenticator app. Okta FastPass without user verification (biometrics) satisfies 1FA, and Okta FastPass with user verification satisfies 2FA. Okta Identity Engine does support FIDO WebAuthn outside of Okta Verify.

  • Can I configure Okta FastPass for specific authentication policies or is it a global configuration?

  • Once you enable Okta FastPass at the organization level, all users in the organization are able to use Okta FastPass. However, you can configure each authentication policy to specify if Okta FastPass can be used for the app.

Related topics