Configure two-factor authentication for registered and unmanaged devices

In this use case, the user will be offered a passwordless experience with Okta FastPass with biometrics on a registered but not managed device. This is classified as a high assurance level.

Create a bookmark app

  1. In the Admin Console, go to Applications > Applications.
  2. Select Browse App Catalog.
  3. Search for Bookmark App, and then click Add.
  4. Change the Application label to Bookmark App 3.
  5. Enter a URL and click Done. Because this app is for demonstration purposes only, you can choose any URL you like. In a real environment, use the URL of the app you're setting up SSO for.
  6. Select the Assignments tab.
  7. Select Assign > Assign to Groups, and then select Assign for Okta FastPass Group 3. Don't click the group name unless you want to review the group properties.
  8. Click Done.

Create an authentication policy rule

Create an authentication policy rule to allow for biometric authentication for users. These steps use one of the bookmark apps you created in the prerequisites section.

  1. In the Admin Console, go to Applications > Applications.
  2. Select Bookmark App 3.
  3. Select the Sign On tab. The default catch-all rule allows access with one factor (password).
  4. Click Add Rule.
  5. Add a rule name (for example, Bookmark App 2 rule).
  6. In the IFUser's user typeis field, select Any user type.
  7. In the AND User's group membership includes a field, select At least one of the following groups.
  8. Start typing the name of the group you created in the prerequisites (Okta FastPass Group 3) and then select it.
  9. In the AND User is field, select Any user.
  10. Use the default value (Any IP) for AND User's IP is.
  11. In the ANDDevice Stateis field, select Any. This turns off the silent polling feature of the Sign-In Widget, which means the Sign-In Widget displays options for the authenticators you have enabled for your users. Use default value (Any platform) for ANDDevice Platform is.
  12. Leave the ANDThe following custom expression is true" field blank.
  13. In the THEN Access is field, select Allowed after successful authentication.
  14. In the AND User must authenticate with field, select Any 1 factor type.
  15. In the ANDAccess with Okta FastPass is granted field, select If the user approves a prompt in Okta Verify or provides biometrics. This allows the user to always see the sign-in screen with a selection authenticators.
  16. Leave the default values in the remaining fields, and then click Save.

Test the user sign-in experience

Whenever you change settings, clear the browser before you test them.

  1. In another browser instance or incognito window, go to the End-User Dashboard for this org.
  2. Select Bookmark App 3.
  3. On the Sign-In Widget, select Okta Verify and then provide biometric confirmation.