Configure an authentication policy for passwordless authentication with Okta FastPass

Learn how to set up authentication policies to enable secure passwordless authentication with Okta FastPass.

Before you begin

  • Protect all your apps with strong authentication policies. Then remove the default global password requirement from your global session policy. This change transfers the authentication logic and control from the global session policy to the authentication policies.
  • Before you configure your policy, ensure that all users are enrolled in Okta Verify. When users add an Okta Verify account, their devices are registered in the Okta Universal Directory.
  • If you upgrade from Classic Engine, see App sign-on policies.

Configure authentication policy rules

  1. Create authentication policy rules. See Add an authentication policy rule.
    • Rule 1 grants users access to apps on managed registered devices that have secure hardware. Require users to authenticate with any two factor types.
    • Rule 2 grants users access to apps on unmanaged registered devices. Require users to authenticate with any factor type except phone or email.
    • Rule 3 (catch-all rule) denies access to all users who don't satisfy Rule 1 or 2.

  2. Confirm that the most restrictive rule that grants access (Rule 1) is at the top of the list. The catch-all rule (Rule 3) must be at the bottom of the list.

Policy rule examples

Rule 1 (most restrictive)

  • IF conditions:
    • Device state is: Registered
    • Device management is: Managed
  • THEN actions:
    • Access is: Allowed after successful authentication
    • User must authenticate with: Any 2 factor types
    • Possession factor constraints are: Phishing resistant, Hardware protected, Require user interaction
    • Prompt for all other factors of authentication: Every time user signs in to resource

To access apps without providing a password, users must enable biometrics or passcode verification in their Okta Verify account.

Rule 2 (less restrictive)

  • IF conditions:
    • Device state is: Registered
    • Device management is: Not managed
  • THEN actions:
    • Access is: Allowed after successful authentication
    • User must authenticate with: Password / IdP + Another factor
    • Possession factor constraints are: Phishing resistant, Hardware protected, Require user interaction

      If you select Require user interaction, users who authenticate with Okta Verify must approve an Okta Verify prompt. If you also select Require PIN or biometric user verification, users must complete biometrics or PIN verification to gain access to their resources.

    • Prompt for all other factors of authentication: Every time user signs in to resource

Rule 3 (catch-all rule)

Edit the catch-all rule to deny access to users who don't satisfy the conditions of Rule 1 or 2.

Related topics

Authentication policies

Add device assurance to an authentication policy