Passwordless authentication deployment guide
Traditional authentication with a username and password has been the foundation of digital identity for over 50 years. With the ever-growing number of user accounts, there are new issues: the burden on users to remember multiple passwords, support costs, and most importantly, the security risks posed by compromised credentials. As a result, the case for eliminating passwords from the authentication experience is more compelling every day.
Understanding the need for passwordless authentication starts with understanding the core challenges presented by passwords. These are:
- Poor user experience
- Poor account security
- Increased costs
Moving beyond passwords requires thought and planning. Before deciding to eliminate passwords, organizations should evaluate threats, technology, user journeys, costs, adoption friction, and implementation.
Going passwordless can be accomplished using several different technologies. Fundamentally, passwordless authentication is synonymous with eliminating knowledge factor authentication methods (all memorized secrets).
The following table includes examples of assurance levels, the requirements for authentication, and device context.
|Authentication Assurance Level||Low||Medium||High|
|Factor Type||Possession||Possession + Registered||Possession + Inherence|
|Passwordless Authenticators and Authentication Methods options||
|Device Context or state||Not managed, not registered||Registered but not managed||Registered and managed (optional)|
For even more sophisticated policies enabling passwordless authentication, the user context can be taken into account. Internal users might have different requirements or constraints than contractors or partners. Okta offers flexibility to bring users, networks, and even risk assessment into consideration when designing policies.
Okta FastPass is a passwordless authentication method offered by Okta Verify. Users follow a one-time process with Okta Verify to register their devices in the Okta Universal Directory. Device registration creates a strong user and device binding that establishes an ongoing session to Okta.
Key benefits of Okta FastPass include:
- Secure passwordless experience offers medium or high assurance levels when used with biometrics
- "Always-on" productivity, regardless of location
- Universal Directory provides greater admin visibility and doesn't require Active Directory or LDAP
Okta FastPass is available on Microsoft Windows, Apple macOS, iOS and iPadOS, and Android. It offers the same experience across these platforms.
How does Okta FastPass work?
After the one-time device registration, the user has passwordless access to all resources in Okta. Once a device is registered, the user is not prompted for a username or password when they try to sign in to their Okta apps. The passwordless experience is controlled by the Global Session Policy and authentication policy configured by the admin.
When Okta FastPass is activated, a new authentication method is available to the user. Depending on the authentication policy setting, Okta Verify prompts the user, requires biometrics, or both.
Okta admin experience
When users authenticate with Okta FastPass, the device that they use is registered and visible through the Device Context feature. For more information about administrator features, such as suspending or deactivating devices, consult the Device Context Deployment Guide.
Before you begin
Before you deploy Okta FastPass, consider the following:
- The default "catch-all" rule in an authentication policy may not be enough to protect it. Before you enable Okta FastPass and delegate authentication to your authentication policies, be sure that those policies are sufficiently restrictive.
- Although Okta Verify creates a strong binding between users and their devices, it does not replace a device management solution. For your most sensitive apps, limit Okta FastPass to managed devices only.
- If the user loses access to their device (or the device is suspended or deactivated by an Okta admin), it is impossible for the user to authenticate unless other authenticators are available.