Configure an authentication policy for passwordless authentication with Okta FastPass

You can set up an authentication policy to enable secure passwordless authentication with Okta FastPass.

Before you begin

  • When you set up passwordless authentication with Okta FastPass, protect all your apps with strong authentication policies. Then remove the default global password requirement from your global session policy. This change transfers the authentication logic and control from the global session policy to the authentication policies.

  • Before you configure your policy, ensure that all users are enrolled in Okta Verify. When users add an Okta Verify account, their devices are registered in the Okta Universal Directory.

  • If you upgrade from Classic Engine, see App sign-on policies.

Start this task

  1. Create authentication policy rules. See Add an authentication policy rule. Use these examples:

    • Rule 1 grants users access to apps on managed registered devices that have secure hardware. Require users to authenticate with any two factor types.

    • Rule 2 grants users access to apps on not managed registered devices. Require users to authenticate with any factor type except phone or email.

    • Rule 3 (catch-all rule) denies access to all users who don’t satisfy Rule 1 or 2.

  2. Confirm that the most restrictive rule that grants access (Rule 1) is at the top of the list. The catch-all rule (Rule 3) must be at the bottom of the list.

Rule 1: Access from registered, managed, hardware-protected devices with any two factor types

Select the options listed in the table. If the conditions are satisfied, users can access their apps. To access apps without providing a password, users must enable biometrics or passcode verification in Okta Verify.

IF conditions

THEN rule

Device: Registered, Managed

  • Access: is allowed after successful authentication

  • User must authenticate with: Any two factor types

  • Possession factor constraints are:

    • Phishing resistant

    • Hardware protected

    • Exclude phone and email authenticators

    • Require user interaction

  • Prompt for authentication: Every time user signs in to resource.

Rule 2: Access from registered, not managed, hardware-protected devices with two factor types (password and possession)

Select the options listed in the table. To satisfy these conditions, users can choose any enrolled authentication factor type except phone and email. If you select Require user interaction, users who authenticate with Okta Verify must approve an Okta Verify prompt. If you also select Require PIN or biometric user verification, users must complete biometrics or PIN verification to gain access to their resources.

IF conditions

THEN rule

Device: Registered, Not Managed

  • Access: is allowed after successful authentication

  • User must authenticate with: Password / IdP + Another factor

  • Possession factor constraints are:

    • Phishing resistant

    • Hardware protected

    • Exclude phone and email authenticators

    • Require user interaction

  • Prompt for authentication: Every time user signs in to resource.

Rule 3: Catch-all rule

Edit the catch-all rule to deny access to users who don’t satisfy the conditions of Rule 1 or 2.

Related topics

Authentication policies

Add an authentication policy rule

Add device assurance to an authentication policy

Expression Language attributes for devices