Configure the Passkeys (FIDO2 WebAuthn) authenticator
The Passkeys (FIDO2 WebAuthn) authenticator lets users authenticate with a security key or a biometric method, such as a fingerprint or face recognition. Passkeys (FIDO2 WebAuthn) follows the FIDO2 Web Authentication (WebAuthn) standard. After you enable this authenticator, users authenticate with it when they sign in to Okta or use it for extra authentication.
This authenticator provides several optional features to help you manage your Passkeys (FIDO2 WebAuthn) implementation.
- Search the list of authenticators that Okta works with to plan equipment purchases and designate which ones are allowed in your org:
- Add your own custom authenticators.
- Create groups of authenticators and use them in policies.
- Manage passkeys and enroll FIDO2 security keys as part of onboarding users.
Passkeys (FIDO2 WebAuthn) is a possession and biometric factor, and fulfills the requirements for device-bound, phishing-resistant, and user presence characteristics. See Multifactor authentication.
Before you begin
- Review which browsers support the Passkeys (FIDO2 WebAuthn) authenticator and considerations for use. See Passkeys (FIDO2 WebAuthn) support and behavior.
-
Review the FIDO Metadata Service (MDS) Authenticator Attestation Global Unique Identifier (AAGUID) list of authenticators. Verify which ones you can use with Okta before you acquire or deploy any security keys in your environment. If your authenticator doesn't appear in the FIDO MDS AAGUID list, you can add it to the custom AAGUID list. See Review and manage FIDO MDS and custom authenticators.
- Review the list of supported authenticators in the AAGUID list. Verify which ones you can use with Okta before you acquire or deploy any security keys in your environment.
- Review the browser requirements:
- Update Chrome to the latest version. The Passkeys (FIDO2 WebAuthn) authenticator isn't usable if the browser requires an update.
- Encourage your end users to enroll the Passkeys (FIDO2 WebAuthn) authenticator on multiple browsers and on multiple devices. Users with one enrollment in one browser can't authenticate if their browser blocks their security method or if they lose their device.
- Review system requirements:
- The Passkeys (FIDO2 WebAuthn) authenticator isn't supported on MFA Credential Provider for Windows.
- When you block the use of syncable passkeys in your org, users running macOS Monterey can't enroll in Touch ID using the Safari browser.
- When you block the use of syncable passkeys in your org, iPhone users running iOS 16 on their devices can't use the Passkeys (FIDO2 WebAuthn) authenticator. Enable Okta FastPass or security keys that support NFC or USB-C instead. Enrollments of devices running iOS 16 are supported after you block the use of syncable passkeys for non-passkey purposes.
- The Passkeys (FIDO2 WebAuthn) authenticator is restricted to the specific Okta org URL where it was originally registered. If you have multiple Okta org URLs, including custom URLs, add this authenticator to each of your orgs and URLs.
- Re-enroll any security keys that were added before November 30, 2022.