Okta FastPass FAQ
Reference the following frequently asked questions (FAQs) to find answers to your Okta FastPass questions:
-
Can I use Okta FastPass to log in to my computer?
-
Can I use Okta FastPass without Okta Verify?
-
Do end users require the latest version of Okta Verify to use Okta FastPass?
-
How do end users get Okta Verify, and why do they need to enroll with Okta Verify for Okta FastPass?
-
Can facial recognition or fingerprint be used with Okta FastPass?
- Silent authentication (authenticate without user verification), to satisfy 1FA, or
- Silent authentication and user verification, to satisfy 2FA.
-
Are end users forced to use biometrics with Okta FastPass?
-
What happens if biometrics is required with Okta FastPass, but not available on the device?
-
If an end user has biometrics set up with Okta FastPass, will there also be an option for the them to enroll using a passcode?
-
Can I enforce Push on Okta Verify if the end user doesn’t provide biometrics?
-
Is Okta FastPass supported on Linux Desktops or Chromebooks?
-
How does Okta Verify know if a device is trusted?
-
Are unmanaged devices supported with Okta FastPass, or is device management required?
-
What happens when I disable Okta FastPass?
-
End users won't be able to log in with Okta FastPass, but they can still log in with other factors that satisfy assurance.
-
Be aware that when you clear the Okta FastPass (all platforms) checkbox to disable Okta FastPass, any authentication policy with a device condition can no longer be evaluated. This can result in unexpected behavior.
-
Is it correct that Okta FastPass cannot lock users out of their computers?
-
Does Okta FastPass support Yubikeys?
-
Is Okta FastPass FIDO-compatible? Is it a factor?
-
Can I configure Okta FastPass for specific authentication policies or is it a global configuration?
No.
No.
Yes, the latest version of Okta Verify is required for Okta FastPass, and the end user must enroll (add an account) in Okta Verify.
As an admin, you can deploy Okta Verify to devices as a managed app and communicate with end users that they need to enroll with Okta Verify.
Okta Verify enrollment is required for device registration and presence in Okta Universal Directory. Okta Verify detects the presence of management certs on the device, to attest that a device is managed or trusted.
See Okta Verify for Windows, Okta Verify for macOS, Okta Verify for iOS, and Okta Verify for Android to learn more about the end user enrollment experience, and see Device registration to learn more about the device registration process.
Yes. With Okta FastPass, users can use:
Okta uses the term user verification to reference biometrics. User verification includes facial recognition and fingerprint.
User verification (biometrics) is a configurable option. Admins can set user verification to Preferred or Required. This is currently only enforced on enrollment. Admins cannot enforce user verification during authentication using Okta FastPass.
See Enable Okta FastPass.
If a device does not support biometrics and the organization requires it, the user won't be able to add an account to Okta Verify, or use Okta Verify for authentication on that device.
Pin fallback is not allowed on Windows, macOS, iOS, or Android devices.
Admins cannot configure the authentication policy to specifically enforce Push on Okta Verify, but they can ask for a Possession factor. The possession factor can be satisfied with Okta Verify Push, sending a one-time password to email, Okta FastPass without user verification, or SMS.
For desktop platforms, Okta FastPass is currently only supported on Windows and macOS. For mobile, Okta FastPass is available on iOS, and Android.
When a user attempts to access an app, if the app requires device context, the Okta Sign-In Widget sends a challenge to Okta Verify. Okta Verify responds to the Okta Sign-In Widget with the required signals.
Okta FastPass does not require device management. All functionality works on devices that are managed and not managed. Users with unmanaged devices must install the latest version of Okta Verify and enroll (add an account to Okta Verify) before they can use Okta FastPass. Management state is a signal that is passed for policy decisions.
When you disable Okta FastPass:
See Disable Okta FastPass, and Configure Okta FastPass.
Okta FastPass does not protect access to the device or operating system.
No. Okta FastPass is an authentication method, similar to Yubikey. Yubikey provides additional compliance benefits at the cost of user experience. Admins can choose to provide both Okta FastPass and Yubikey using Okta assurance policies, or require Yubikey only for apps.
Okta FastPass is not compatible with Fast Identity Online (FIDO). Okta FastPass is one authentication factor available with the Okta Verify authenticator app. Okta FastPass without user verification (biometrics) satisfies 1FA, and Okta FastPass with user verification satisfies 2FA. Okta Identity Engine does support FIDO WebAuthn outside of Okta Verify.
Once you enable Okta FastPass at the organization level, all users in the organization are able to use Okta FastPass. However, you can configure each authentication policy to specify if Okta FastPass can be used for the app.