Configure MFA for passwordless users

This topic explains what factors can work for MFA in a passwordless sign-in. It provides you two ways of setting two-factor authentication for your passwordless sign-in flows.

Available authenticators for passwordless users

The set of authenticators that is available to a user for sign-on is determined by the intersection of Authenticator Enrollment policy and Authentication policy.

Authentication policy provides different factor options, but for passwordless multifactor authentication, only the Any 2 factor types option can be used.

The Any 2 factor types option requires the user to authenticate with two authenticators from two of the following factor types:

  • Knowledge-based: Something the user knows

  • Possession: Something the user has

  • Biometric: Something the user is

These factors can be hardware-protected, device bound, or phishing-resistant.

Knowledge-based authenticators include Password and Security Question. However, Security Question can only be used for MFA if the user has an enrolled password. Therefore, knowledge-based authenticators can’t be used to satisfy MFA requirements for passwordless sign-in.

Hence, the user needs one possession-based and one biometric factor to sign in without a password.

Set up 2FA for passwordless sign-in

There are two ways you can set up two-factor authentication for passwordless sign-in experience:

1. Okta Verify or WebAuthn (FIDO2)

While there are several possession-based factors, options for biometric factors only include Okta Verify and WebAuthn (FIDO2). However, when biometrics are enabled on Okta Verify or WebAuthn, either of them alone satisfies both the Possession and Biometric factor type requirements for 2FA. And therefore, the user is not prompted for any more factor types.

Thus, to configure two-factor authentication for passwordless sign-in, you need either Okta Verify with Push Notification or WebAuthn with User verification set to Required. When user verification is required, the user must enable biometrics during the factor enrollment. This adds a Biometric component to the authenticator.

For example, if the user is using Okta Verify on an iPhone and user verification is required, a FaceID check is performed before the user is allowed to use Okta Verify to answer a challenge.

Okta Verify with TOTP even when user verification is required, is considered only as a Possession factor and alone doesn’t satisfy 2FA requirements. Okta Verify Push Notification when user verification is required counts as both Possession and Biometric factors and alone satisfies 2FA requirements.

To set up Okta Verify, see Configure the Okta Verify authenticator.

To set up WebAuthn, see Configure a FIDO2 (WebAuthn) authenticator.

2. Okta FastPass

Okta FastPass is a device-specific configuration for Okta Verify. It can also be used to enable passwordless sign-in with two-factor authentication. However, in this case, Okta Verify must be installed on the device the user is signing into.

For an ordinary Okta Verify Push challenge, the Okta Verify application need not be installed on the device the user is signing into. For example, Okta Verify installed on a cell phone may be used to answer a challenge from the desktop.

However, this is not possible when using Okta FastPass. To be able to sign into the desktop using Okta FastPass, you must have Okta Verify installed on your desktop.

To set up Okta FastPass, see Configure Okta FastPass.