Configure the FIDO2 (WebAuthn) authenticator

In this use case, the user is offered a passwordless experience with a WebAuthn authenticator on an unmanaged device. In this example, this is classified as a medium assurance level.

The Okta WebAuthn authenticator follows the FIDO2 Web Authentication (WebAuthn) standard. FIDO2 Web Authentication (WebAuthn) is a standard web API that is incorporated into web browsers and related web platform infrastructures that are used to securely authenticate users on the web across various sites and devices.

You can configure FIDO2 (WebAuthn) as a multifactor authentication (MFA) option. The WebAuthn standard provides users with new methods to authenticate with MFA authenticators that are enabled and configured specifically for WebAuthn. When you configure a WebAuthn authenticator, users must provide additional verification when signing in to Okta. Users can enroll in up to 10 instances of the same WebAuthn authenticator. Users set themselves up either from the Sign-In Widget or from settings on their End-User Dashboard.

Add the WebAuthn authenticator

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the FIDO2 (WebAuthn) tile.

  4. Leave the User verification default setting as Discouraged.

  5. Click Add. When User verification is Discouraged, users who enroll a WebAuthn authenticator do not see the WebAuthn enrollment names of the authenticator they enroll. They are listed generically as Authenticator, and no other details about the authenticator are provided.

Create a bookmark app

  1. In the Admin Console, go to Applications > Applications.
  2. Select Browse App Catalog.
  3. Search for Bookmark App, and then click Add.
  4. Change the Application label to Bookmark App 2.
  5. Enter a URL and click Done. Because this app is for demonstration purposes only, you can choose any URL you like. In a real environment, use the URL of the app you're setting up SSO for.
  6. Select the Assignments tab.
  7. Select Assign > Assign to Groups, and then select Assign for Okta FastPass Group 2. Don't click the group name unless you want to review the group properties.
  8. Click Done.

Create an authentication policy rule

Create an authentication policy rule to allow biometric authentication for users. After you save the rule, prioritize it over the default catch-all rule.

  1. In the Admin Console, go to Applications > Applications.
  2. Select Bookmark App 2.
  3. Select the Sign On tab. The default catch-all rule allows access with one authenticator (password).
  4. Click Add Rule.
  5. In the Add Rule dialog, add a rule name (for example, Bookmark App 2 rule).
  6. In the IFUser's user typeis field, select Any user type.
  7. In the AND User's group membership includes a field, select At least one of the following groups.
  8. Start typing the name of the group you created in the prerequisites (Okta FastPass Group 2) and then select it.
  9. In the AND User is field, select Any user.
  10. Use the default value (Any IP) for AND User's IP is.
  11. In the ANDDevice Stateis field, select Any. This turns off the silent polling feature of the Sign-In Widget, which means the Sign-In Widget displays options for the authenticators you have enabled for your users. Use default value (Any platform) for ANDDevice Platform is.
  12. Leave the ANDThe following custom expression is true" field blank.
  13. In the THEN Access is field, select Allowed after successful authentication.
  14. In the AND User must authenticate with field, select Possession factor.
  15. Leave the default values in the remaining fields, and then click Save.

Test the user sign-in experience

Whenever you change settings, clear the browser before you test them.

  1. In another browser instance or incognito window, go to the End-User Dashboard for this org.
  2. Select Bookmark App 2.
  3. Verify that the Sign-In Widget prompts you to authenticate with a Security Key or Biometric Authenticator.