Prerequisites for configuring passwordless authentication
Before you create authentication policy rules for the use cases, perform the following tasks:
- Enable Okta FastPass using Okta Verify as an authenticator
- Create an Okta FastPass group
- Create the Global Session Policy
Before you deploy passwordless authentication, consider the following questions. The answers to these questions will impact configuration settings and determine the type of passwordless experience you should use.
- When is a user allowed this experience based on device context? Should it include all devices? Registered devices only? Managed devices only?
- What requirements must a sign-in event meet to allow this flow?
- Which types of devices are predominant in the environment? Do all of these have native biometric access? Do you want to enforce biometric flows each time?
- What are your authentication requirements for each app? You should understand Okta assurance levels and how they apply to authenticator types.
- What other factors are allowed in Okta?
- Does your organization use Active Directory?
- Do you allow users to bring their own devices?
- Do you want a different user experience depending on the device platform (for example, iOS or Windows)?
- Do you want users to be signed in silently, without user interaction?
- Do you want your app policies to apply to users coming in from specific network zones?
- In the Admin Console, go to Security > Authenticators.
- Click the Setup tab.
- For Okta Verify, click Actions > Edit.
- Select the Okta FastPass (all platforms) checkbox.
- In the Okta FastPass section, select Show the "Sign in with Okta FastPass" button checkbox.
The Sign in with Okta FastPass button acts as a backup if Okta Verify doesn't load automatically, and it offers an alternative if the user's device management solution prevents signing in silently. It also provides first-time users with a walkthrough for Okta Verify installation and device registrations.
The first sign-in event from an unknown device shows a standard flow with password and email options if authentication is allowed. When the user successfully signs in from that device, they are presented with all available authenticators for subsequent authentication attempts.
On subsequent authentication attempts, users see this button.
If Okta Verify is installed on the device and biometrics are enabled, Okta prompts the user for biometrics at each sign-in attempt, regardless of the requirements configured in the authentication policy. Biometrics satisfy a higher level of assurance, so the flow is simplified if a user signs in to any other app during their current session.
Furthermore, using Okta FastPass with Biometrics enabled allows users to satisfy two authentication factors with a single action:
- Proof of possession - because the user is in possession of the device on which Okta FastPass is running
- Inherence - because the user's face or fingerprint is scanned by the device
If an admin only requires biometrics as an authentication factor, and doesn't require that users enroll in Okta FastPass, users must satisfy biometrics verification and one other authentication factor if a sign-on policy requires multifactor authentication.
To simplify the examples in the rest of this document, create a group for passwordless authentication and add a person to it. This example uses bookmark apps. In your environment, use the app integration you need for each app.
- In the Admin Console, go to Directory > Groups.
- Click Add Group.
- Enter a Name (for example, Okta FastPass Group 1) and a Group Description, and click Add Group.
- Go to Directory > People and click Add person.
- Enter a First name, Last name, Username, and Primary email. Add your own email to the Secondary email field.
- In the Groups field, select the Okta FastPass group you created in Step 2.
- In the Password field, select Set by admin, and enter a password.
- Clear User must change password on first login.
- Click Save. This is the group you'll use to walk through the steps for the first use case: Configure simple security with one-factor authentication.
- Optional. Create two more groups (Okta FastPass Group 2 and Okta FastPass Group 3) for the other two use cases described in this document:
- Configure two-factor authentication for registered and unmanaged devices
- Configure the FIDO2 (WebAuthn) authenticator
Configuring passwordless authentication requires you to change your Global Session Policy by adding a higher priority rule. This change shifts responsibility for defining and enforcing strict authentication requirements to each of your authentication policies. Before you change your Global Session Policy, be sure your apps are protected with a strong authentication policy. It's a best practice to leave the default Global Session Policy and authentication policy with their original settings.
- In the Admin Console, go to Security > Global Session Policy
- Select Add New Global Session Policy.
- Enter a Policy Name. A best practice is to add "Global Session Policy" to the name so that it's easy to see which policies are Global Session Policies when you read the logs.
- Assign this policy to the group you created in Create an Okta FastPass group.
- Click Create Policy and Add Rule.
- In the Add Rule dialog, enter a Rule Name.
- Change ANDPrimary factor is to Password / IDP / any factor allowed by app sign on rules.
In the new sign-on flow, Okta first determines who the user is and then assesses MFA requirements based on the app they're trying to access. The combination of the user and app tells Okta which policy applies. The authentication policy determines which factors are required or allowed.
- Clear ANDRequire secondary factor.
Clearing this option removes the requirement for MFA for every app in this org. It also makes the Global Session Policy defer completely to the authentication policies to determine which authenticators are needed to access the app.