User experience based on Okta Verify user verification settings

This guide explains how the user experience for Okta Verify and Okta FastPass changes depending on the enrollment options for user verification: Preferred, Required, and Required with biometrics only. It also covers the different interaction scenarios between app sign-in policies and biometric user verification.

Early Access release. See Enable self-service features.

When you enable Inline step-up flow for User Verification with Okta Verify, users are guided through the necessary configuration steps to meet the user verification requirements defined in your app sign-in policies. With this feature, you reduce the risk of user lockouts. Users should reach out to your help desk if the user verification setup fails.

When a user clicks Sign in with Okta FastPass, there's insufficient context to determine what level of user verification is required. Okta Verify challenges the user with biometrics or a device passcode if available. The user may be prompted for additional verification factors after Okta determines the correct context.

Android devices

User task

Preferred

Required

Required with biometrics only

Enrollment

  • Users are prompted to enable screen lock or biometric confirmation. They can skip this step and proceed with the Okta Verify enrollment.

  • Previously enrolled users can change the user verification setting from their Account details page.

    In the Security section, they can turn Screen lock confirmation on or off.

    On Android 10, this option is called Biometric confirmation.

  • New users must enable screen lock or biometrics to proceed.

  • If users don't have screen lock or biometrics set up on the device, Okta Verify guides them to the device's settings to complete this configuration first.

  • Previously enrolled users who didn't enable user verification receive remediation messages on their Account details page in Okta Verify:

    • Enable screen lock confirmation

    • Enable biometric confirmation

    • Screen lock settings out of sync with Okta Verify

  • Enrolled users can't turn off screen lock or biometrics confirmation in Okta Verify.

  • New users must enable biometrics to proceed.

  • If users don't have biometrics set up on the device, Okta Verify guides them to the device's settings to complete this step.

  • Devices without biometric capabilities can't be enrolled in Okta Verify. Users receive a Device not supported message.

  • Previously enrolled users who didn't enable biometrics receive a remediation message on their Account details page in Okta Verify.

  • Enrolled users can't turn off biometrics in Okta Verify.

Authentication with Okta Verify Push

  • Users are prompted for biometrics if they enabled this method during enrollment.

  • Users are prompted for biometric confirmation.

  • Users are prompted for biometric confirmation.

Authentication with Okta FastPass

  • Users are prompted for biometric or password confirmation depending on the possession factor constraints configured in your app sign-in policy. See Add an app sign-in policy rule.

    • You didn't select Require user interaction: Users can authenticate silently.

    • You selected Require user interaction: Users are prompted to approve a notification.

    • You selected Require PIN or biometric user verification: Users are prompted to authenticate with biometrics or PIN.

If user verification settings in Okta Verify are out of sync with the device settings, users receive remediation messages during the authentication flow. For example, Enable biometric confirmation for Okta Verify.

iOS devices

User task

Preferred

Required

Required with biometrics only

Enrollment

  • Users are prompted to enable Touch ID, Face ID, or passcode confirmation. They can skip this step and proceed with the Okta Verify enrollment.

  • Previously enrolled users can change the user verification setting from their Okta Verify Account Details page.

    They can turn Face ID or Passcode Confirmation on or off.

  • New users must enable Touch ID, Face ID, or passcode confirmation to proceed.

  • If users don't have Touch ID, Face ID, or passcode set up on the device, Okta Verify guides them to the device's settings to complete this configuration first.

  • Previously enrolled users who didn't enable user verification receive remediation messages on their Account Details page in Okta Verify:

    • Enable Face ID Confirmation

    • Enable Face ID or Passcode Confirmation

    • Face ID or Passcode Settings out of Sync with Okta Verify

  • Enrolled users can't turn off Face ID, Touch ID, or passcode confirmation in Okta Verify.

  • New users must enable Touch ID or Face ID confirmation to proceed.

  • If users don't have biometrics set up on the device, Okta Verify guides them to the device's settings to complete this configuration first.

  • Devices without biometric capabilities can't be enrolled in Okta Verify. Users receive a Device not supported message.

  • Previously enrolled users who didn't enable user verification receive remediation messages on their Account details page in Okta Verify. For example, Enable Face ID.

  • Enrolled users can't turn off Face ID or Touch ID in Okta Verify.

Authentication with Okta Verify Push

  • Users are prompted for biometrics if they enabled this method during enrollment.

  • Users are prompted for biometric confirmation.

  • Users are prompted for biometric confirmation.

Authentication with Okta FastPass

  • Users are prompted for biometric or passcode confirmation depending on the possession factor constraints configured in your app sign-in policy. See Add an app sign-in policy rule.

    • You didn't select Require user interaction: Users can authenticate silently.
    • You selected Require user interaction: Users are prompted to approve a notification.
    • You selected Require PIN or biometric user verification: Users are prompted to authenticate with biometrics or PIN.

If user verification settings in Okta Verify don't match your configurations or went out of sync with the device settings, users receive remediation messages during the authentication flow. For example, Enable Face ID or Passcode Confirmation for Okta Verify.

macOS devices

User task

Preferred

Required

Required with biometrics only

Enrollment

  • Users are prompted to enable Touch ID or password confirmation. They can skip this step and proceed with the Okta Verify enrollment.

  • Previously enrolled users can change the user verification setting from the Okta Verify account details page.

    They can turn Touch ID confirmation or Password confirmation on or off.

  • New users must enable Touch ID or a password confirmation to proceed.

  • If users don't have Touch ID or a password set up on the device, Okta Verify guides them to the device's settings to complete this configuration first.

  • Previously enrolled users who didn't enable user verification receive remediation messages in Okta Verify:

    • Enable Touch ID confirmation

    • Enable Touch ID or password confirmation

    • Touch ID or passwords settings out of sync with Okta Verify

  • Enrolled users can't turn off Touch ID or passcode confirmation in Okta Verify.

  • New users must enable Touch ID confirmation to proceed.

  • If users don't have biometrics set up on the device, Okta Verify guides them to the device's settings to complete this configuration first.

  • Devices without biometric capabilities can't be enrolled in Okta Verify. Users receive a Device not supported message.

  • Previously enrolled users who didn't enable user verification receive remediation messages in Okta Verify. For example, Enable Touch ID confirmation.

  • Enrolled users can't turn off Touch ID in Okta Verify.

Authentication with Okta FastPass

  • Users are prompted for biometric or password confirmation depending on the possession factor constraints configured in your app sign-in policy. See Add an app sign-in policy rule.

    • You didn't select Require user interaction: Users can authenticate silently.
    • You selected Require user interaction: Users are prompted to approve a notification.
    • You selected Require PIN or biometric user verification: Users are prompted to authenticate with biometrics or PIN.

If user verification settings in Okta Verify don't match your configurations or went out of sync with the device settings, users receive remediation messages during the authentication flow. For example, Enable Touch ID or password confirmation for Okta Verify.

Windows devices

User task

Preferred

Required

Required with biometrics only

Enrollment

  • Users are prompted to enable Windows Hello. They can skip this step and proceed with the Okta Verify enrollment.

  • Enrolled users can change the user verification setting from the Okta Verify account details page.

    They can turn Windows Hello confirmation on or off.

  • Due to Windows requirements, the Required and Required with biometrics only options are equivalent and trigger the same user experience.

  • New users must enable Windows Hello face, fingerprint, and PIN verification to proceed.

  • If users don't have Windows Hello set up on the device, Okta Verify guides them to the device's settings to complete this configuration first.

  • Devices that don't support Windows Hello can't be enrolled in Okta Verify. Users receive a Device not supported message.

  • Previously enrolled users who didn't enable Windows Hello receive remediation messages in Okta Verify.

  • Enrolled users can't turn off Windows Hello.

Authentication with Okta FastPass

  • Users are prompted for biometric or PIN confirmation depending on the possession factor constraints configured in your app sign-in policy. See Add an app sign-in policy rule.

    • You didn't select Require user interaction: Users can authenticate silently.
    • You selected Require user interaction: Users are prompted to approve a notification.
    • You selected Require PIN or biometric user verification: Users are prompted to authenticate with biometrics or PIN.

If user verification settings in Okta Verify don't match your configurations or are out of sync with the device settings, users receive remediation messages during the authentication flow. For example, Enable Windows Hello confirmation or Windows Hello settings out of sync with Okta Verify.

Okta Verify for Windows doesn't support inline remediation. Users should enable user verification in the Okta Verify app to access resources that require user verification.

Best practices for user verification

  • The Required with biometrics only setting offers the strongest security, but may cause enrollment issues on devices that don't support biometrics.

  • The Preferred setting provides the most flexible user experience.

  • The Windows operating system has unique constraints where the Required and Required with biometrics only options behave similarly.

  • Okta Verify provides remediation prompts if a user's device settings are out of sync with the configured policy.

Biometric user verification in app sign-in policies

Early Access release. See Enable self-service features.

Enabling the Biometric user verification in authentication policies feature allows you to configure policy rules that require biometric authentication.

App sign-in policy rules

During authentication with Okta Verify Push or Okta FastPass, the user experience depends on several conditions:

  • The possession factor constraints configured in the app sign-in policy. See Biometric user verification in app sign-in policies.

  • The enrollment settings for user verification that you configured for Okta Verify.

  • The verification options selected by the user during enrollment.

Scenario 1

  • App sign-in policy rule requirement: Any method

  • Okta Verify enrollment: Preferred

Device passcode Biometrics Outcome
Not enabled Not enabled Users authenticate by responding to an Okta Verify prompt.
Enabled Not enabled Users authenticate with a device passcode.
Enabled Enabled Users authenticate with a device passcode.

Scenario 2

  • App sign-in policy rule requirement: Any method

  • Okta Verify enrollment: Required

Device passcode Biometrics Outcome
Not enabled Not enabled
  • Okta Verify Push: When users authenticate, they're prompted to set up a device passcode.
  • Okta FastPass: Users authenticate by approving an Okta Verify prompt.
Enabled Not enabled Users authenticate with a device passcode.
Enabled Enabled Users authenticate with a device passcode.

Scenario 3

  • App sign-in policy rule requirement: Any method

  • Okta Verify enrollment: Required with biometrics only

Device passcode Biometrics Outcome
Not enabled Not enabled
  • Okta Verify Push: When users authenticate, they're prompted to set up biometrics.
  • Okta FastPass: Users authenticate by approving an Okta Verify prompt.
Enabled Not enabled
  • Okta Verify Push: When users authenticate, they're prompted to set up biometrics.
  • Okta FastPass: Users authenticate with a device passcode.
Enabled Enabled
  • Okta Verify Push: Users authenticate with biometrics
  • Okta FastPass: Users authenticate with a device passcode.

Scenario 4

  • App sign-in policy rule requirement: Require PIN or biometric user verification

  • Okta Verify enrollment: Preferred or Required

Device passcode Biometrics Outcome
Not enabled Not enabled When users authenticate, they're prompted to set up a device passcode.
Enabled Not enabled Users authenticate with a device passcode.
Enabled Enabled Users authenticate with a device passcode.

Scenario 5

  • App sign-in policy rule requirement: Require PIN or biometric user verification

  • Okta Verify enrollment: or Required with biometrics only

Device passcode Biometrics Outcome
Not enabled Not enabled
  • Okta Verify Push: When users authenticate, they're prompted to set up biometrics.
  • Okta FastPass: When users authenticate, they're prompted to set up a device passcode.
Enabled Not enabled
  • Okta Verify Push: When users authenticate, they're prompted to set up biometrics.
  • Okta FastPass: Users authenticate with a device passcode.
Enabled Enabled
  • Okta Verify Push: Users authenticate with biometrics.
  • Okta FastPass: Users authenticate with a device passcode.

Scenario 6

In this authentication scenario, the user experience depends on the Okta Verify account state. The Okta Verify enrollment settings don't impact the authentication flow.

  • App sign-in policy rule requirement: Require PIN or biometric user verification

  • Okta Verify enrollment: Preferred, Required, or Required with biometrics only

Device passcode Biometrics Outcome
Not enabled Not enabled
  • Okta Verify Push: When users authenticate, they're prompted to set up biometrics.
  • Okta FastPass: When users authenticate on Android, iOS, or macOS, they're prompted to set up biometrics.
  • Okta FastPass: Authentication is blocked on Windows (see note).
Enabled Not enabled
  • Okta Verify Push: When users authenticate, they're prompted to set up biometrics.
  • Okta FastPass: When users authenticate on Android, iOS, or macOS, they're prompted to set up biometrics.
  • Okta FastPass: Authentication is blocked on Windows (see note).
Enabled Enabled
  • Okta Verify Push: Users authenticate with biometrics.
  • Okta FastPass: Users authenticate with biometrics on Android, iOS, or macOS.
  • Okta FastPass: Authentication is blocked on Windows (see note).

Due to Windows constraints, Okta can't prevent the use of a Windows Hello PIN.

Even if you configure Okta Verify enrollment to require biometrics, users who only enable a Windows Hello PIN still satisfy the Okta Verify enrollment requirement.

Best practices for biometric user verification

When you configure app sign-in policies that require biometric user verification, create separate rules for exception cases:

  • Create a dedicated rule for devices that don't support biometrics.

  • Create a dedicated rule for Windows users and set the user interaction to Require device passcode or biometric user verification.

    If your policy rule requires biometric user verification, authentication fails for Windows users who only set up a Windows Hello PIN during Okta Verify enrollment.

Related topics

Configure Okta Verify options