Passwordless authentication deployment guide

Why passwordless?

Traditional authentication with a username and password has been the foundation of digital identity for over 50 years. With the ever-growing number of user accounts, there are new issues: the burden on users to remember multiple passwords, support costs, and most importantly, the security risks posed by compromised credentials. As a result, the case for eliminating passwords from the authentication experience is more compelling every day.

Understanding the need for passwordless authentication starts with understanding the core challenges presented by passwords. These are:

  • Poor user experience
  • Poor account security
  • Increased costs

Moving beyond passwords requires thought and planning. Before deciding to eliminate passwords, organizations should evaluate threats, technology, user journeys, costs, adoption friction, and implementation.

Go passwordless

Going passwordless can be accomplished using several different technologies. Fundamentally, passwordless authentication is synonymous with eliminating knowledge factor authentication methods (all memorized secrets).

The following table includes examples of assurance levels, the requirements for authentication, and device context.

Authentication Assurance Level Low Medium High
Factor Type Possession Possession + Registered Possession + Inherence
Passwordless Authenticators and Authentication Methods options
  • Email (magic link)
  • SMS or Phone OTP
  • WebAuthn only (the cryptographic key is unique to you)
  • Okta Verify (no biometrics)
  • Okta FastPass (without biometrics)
  • WebAuthn + Okta Verify Push (no biometrics)
  • Okta FastPass (with biometrics)
Device Context or state Not managed, not registered Registered but not managed Registered and managed (optional)

For even more sophisticated policies enabling passwordless authentication, the user context can be taken into account. Internal users might have different requirements or constraints than contractors or partners. Okta offers flexibility to bring users, networks, and even risk assessment into consideration when designing policies.

Okta FastPass

Okta FastPass is a passwordless authentication method offered by Okta Verify. Users follow a one-time process with Okta Verify to register their devices in the Okta Universal Directory. Device registration creates a strong user and device binding that establishes an ongoing session to Okta.

Key benefits of Okta FastPass include:

  • Secure passwordless experience offers medium or high assurance levels when used with biometrics
  • "Always-on" productivity, regardless of location
  • Universal Directory provides greater admin visibility and doesn't require Active Directory or LDAP

Okta FastPass is available on Microsoft Windows, Apple macOS, iOS and iPadOS, and Android. It offers the same experience across these platforms.

How does Okta FastPass work?

After the one-time device registration, the user has passwordless access to all resources in Okta. Once a device is registered, the user is not prompted for a username or password when they try to sign in to their Okta apps. The passwordless experience is controlled by the Global Session Policy and authentication policy configured by the admin.

User experience

When Okta FastPass is activated, a new authentication method is available to the user. Depending on the authentication policy setting, Okta Verify prompts the user, requires biometrics, or both.

Okta admin experience

When users authenticate with Okta FastPass, the device that they use is registered and visible through the Device Context feature. For more information about administrator features, such as suspending or deactivating devices, consult the Device Context Deployment Guide.

Before you begin

Before you deploy Okta FastPass, consider the following:

  • The default "catch-all" rule in an authentication policy may not be enough to protect it. Before you enable Okta FastPass and delegate authentication to your authentication policies, be sure that those policies are sufficiently restrictive.
  • Although Okta Verify creates a strong binding between users and their devices, it does not replace a device management solution. For your most sensitive apps, limit Okta FastPass to managed devices only.
  • If the user loses access to their device (or the device is suspended or deactivated by an Okta admin), it is impossible for the user to authenticate unless other authenticators are available.

Next steps

Prerequisites for configuring passwordless authentication

Use cases for configuring passwordless authentication