FIDO2 (WebAuthn) support and behavior

FIDO2 (WebAuthn) is supported on most web browsers and operating systems. Okta uses the standard browser APIs for enrollment and authentication.

Security keys

All major browsers support Client to Authenticator Protocol 2 (CTAP2). CTAP2 with PIN is supported on Chrome, if the authenticator has a PIN registered.

If you delete a security key, the existing WebAuthn enrollments in Okta and on platform authenticators such as Touch ID and Windows Hello are then invalid.

If you're using authenticator groups, enrollment of a security key using FIDO U2F (universal 2nd factor) isn't supported. Enrollment isn't supported on Chrome if User Verification is set to Discouraged and a PIN is set on the security key. Users must allow Okta to see the make and model of the security key if prompted during the key enrollment.

Edge

On Edge, enrolling in WebAuthn with either face recognition or PIN also enrolls other authentication methods, such as fingerprint.

Chrome

Chrome displays platform authenticators by default when both platform and roaming authenticators are enrolled and available.

If you clear passwords, cookies, and other sign-in data in Chrome, you remove the WebAuthn platform authenticator from the user's Chrome profile. This also removes the authenticator enrollment from the user's Okta account.

If you reset Apple Touch ID on Chrome, you invalidate the user's existing Touch ID WebAuthn enrollments in Okta. If you deactivate Touch ID in Chrome, you prevent future enrollments of Touch ID WebAuthn until it's set up again.

Windows

On Windows, if User Verification is set to Preferred, a PIN is enforced for CTAP2 with PIN authenticators even if it's not set up. The user must set up a PIN for each enrolled FIDO2 (WebAuthn) authenticator in End-user DashboardSettingsSecurity Methods. On other operating systems, the Preferred setting only enforces the PIN if it's set up on the authenticator.