Configure the FIDO2 (WebAuthn) authenticator

The FIDO2 (WebAuthn) authenticator lets users authenticate with a security key or a biometric method, such as a fingerprint or face recognition. FIDO2 (WebAuthn) follows the FIDO2 Web Authentication (WebAuthn) standard. After you enable this authenticator, users can select it when they sign in to Okta or use it for extra authentication.

This authenticator provides several optional features to help you manage your FIDO2 (WebAuthn) implementation. You can search a list of authenticators that Okta works with to plan equipment purchases and designate which ones are allowed in your org. You can also create groups of authenticators and use them in policies, manage passkeys, and enroll FIDO2 security keys as part of onboarding users.

FIDO2 (WebAuthn) is a possession and biometric factor, and fulfills the requirements for device-bound, phishing-resistant, and user presence characteristics. See Multifactor authentication.

Before you begin

  • Review FIDO2 (WebAuthn) support and behavior.
  • Review the list of supported authenticators in the Admin Console to see which ones you can use with Okta before you acquire or deploy any security keys in your environment.
  • Review browser requirements:
    • Update Chrome to the latest version. The FIDO2 (WebAuthn) authenticator isn't usable if the browser requires an update.
    • Encourage your end users to enroll the FIDO2 (WebAuthn) authenticator on multiple browsers and on multiple devices. Users with one enrollment in one browser can't authenticate if their browser blocks their security method or if they lose their device.
  • Review system requirements:
    • The FIDO2 (WebAuthn)) authenticator isn't supported on MFA Credential Provider for Windows.
    • When you block the use of syncable passkeys in your org, users running macOS Monterey can't enroll in Touch ID using the Safari browser.
    • When you block the use of syncable passkeys in your org, iPhone users running iOS 16 on their devices can't use the FIDO2 (WebAuthn) authenticator. Okta recommends that you enable Okta FastPass or security keys that support NFC or USB-C instead. Enrollments of devices running iOS 16 are supported after you block the use of syncable passkeys for non-passkey purposes.
    • The FIDO2 (WebAuthn) authenticator only allows access to the org URL in which you add it. If you have multiple Okta org URLs, including custom URLs, you must add this authenticator in each of your org.
    • Re-enroll any security keys that were added before November 30, 2022.

Add the FIDO2 (WebAuthn) authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the authenticator tile.

  4. Early Access release. See Enable self-service features.

    Configure Passkeys Autofill.

    When you enable this option, users see their enrolled passkeys when they access their Okta account. The list of existing passkeys for the web browser appears when the user clicks the Username field on the sign-in page. This encourages users to use WebAuthn to access their account, making the sign-in process more secure. It also makes the process faster as the user doesn't have to manually enter their username, select authenticators, and complete the MFA prompt.

    If you disable this option, the available passkeys aren't displayed in the Username field. Users must first enter their username and then select the required authenticators when they sign in.

    To disable this feature, first disable the Passkeys autofill option, and then disable the feature in SettingsFeatures.

    For information on the end-user experience, see Autofill passkeys.

  5. Configure User verification.

    Setting

    Behavior
    Discouraged Users aren't prompted for user verification when they enroll a FIDO2 (WebAuthn) authenticator.
    Preferred Users are prompted for user verification if they enroll a FIDO2 (WebAuthn) authenticator that supports it. The user experience may vary across platforms. For example, the user may be asked to set up a PIN on some operating systems.
    Required Users are always prompted for user verification when they enroll a FIDO2 (WebAuthn) authenticator.

  6. Click Add. The authenticator appears in the list on the Setup tab.

Add the FIDO2 (WebAuthn) authenticator to the authenticator enrollment policy

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.
  3. Add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the FIDO2 (WebAuthn) authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

View the AAGUID list

Search the list of authenticators to see which ones you can use with Okta. The list displays the Authenticator Attestation Global Unique Identifier (AAGUID) number for each authenticator, its type, FIPS compliance status, and hardware protection status. This helps you identify the authenticators that are compatible with your environment, provide the protection features you require, and comply with security standards. This list is provided by the FIDO Metadata Service.

Add FIDO2 (WebAuthn) as an authenticator to view the list of Okta-recognized authenticators.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, click Actions in the FIDO2 (WebAuthn) row and then select Edit.
  3. Select the Authenticator settings tab.
  4. Click View list of Okta-recognized authenticators.
  5. Search for the authenticator name or the AAGUID number.

Manage authenticator groups

Okta enables you to create groups of Okta-recognized FIDO2 (WebAuthn) authenticators and use them in policies. This simplifies the task of requiring your users to authenticate with specific FIDO2 (WebAuthn) authenticators when you create policies.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, click Actions in the FIDO2 (WebAuthn) row, and then select Authenticator groups.
  3. To add an authenticator group, click Add authenticator group.
  4. Enter the group name and add FIDO2 (WebAuthn) authenticators to the group.
  5. Click Add authenticator group.

To edit or delete an authenticator group, find it in the Authenticator groups list, and click Actions. Then edit or delete the group.

Before you can delete an authenticator group, you must remove it from all authentication enrollment policies that include it. See Edit an authenticator enrollment policy.

Block syncable passkeys for FIDO2 (WebAuthn) Authenticators

Early Access release. See Enable self-service features.

Passkeys enable you to back up WebAuthn credentials and synchronize them across devices. Passkeys use the strong key-based or non-phishable authentication model of FIDO2 (WebAuthn). However, they don't have some enterprise security features, such as device-bound keys and attestations, which are available with some FIDO2 (WebAuthn) authenticators.

In managed-device environments, users may be able to enroll unmanaged devices with a passkey and use these devices to authenticate. Okta allows you to block the use of syncable passkeys for new FIDO2 (WebAuthn) enrollments for your entire org. When this feature is turned on, users can't enroll new, unmanaged devices using pre-registered passkeys. Passkeys on Chrome on macOS are device-bound and aren't blocked.

  1. In the Admin Console, go to SettingsFeatures.

  2. Click the toggle switch for the Block Passkeys for FIDO2 (WebAuthn) Authenticators option to turn on the feature.

Enroll a FIDO2 security key for a user

You can enroll a security key on behalf of a user whose name appears in the Okta directory. This enables you to provision security keys, along with laptops and mobile phones, as part of onboarding employees.

  1. In the Admin Console, go to DirectoryPeople.

  2. Enter the user's name in the search field, and then click Enter. Or, click Show all users, find the user in the list, and click the user's name.
  3. In the More Actions menu, select Enroll FIDO2 Security Key.
  4. Click Register. The Verify your identity prompt appears in your browser.
  5. Select the USB security key option and follow the prompts in your browser.
  6. When the Allow this site to see your security key? prompt appears, click Allow.
  7. Click Close or Register another.

End-user experience

If the user hasn't enrolled a FIDO2 (WebAuthn) authenticator, Okta prompts them to do so the next time they sign in. For the biometric method, they're prompted to do a fingerprint or facial recognition scan. For the security key method, they're prompted to insert their security key to complete the enrollment. Prompts guide the user through the process.

When users enroll a WebAuthn security key or biometric authenticator, they're prompted to allow Okta to collect information about the authenticator they're enrolling. Users must allow Okta to see the make and model of the security key. This allows each FIDO2 (WebAuthn) authenticator to appear by name in the Extra Verification section of the user's Settings page.

After enrollment, when a user signs in, they can select the FIDO2 (WebAuthn) security method and use it to authenticate. They're prompted to do a fingerprint or facial recognition scan, or insert their security key. Prompts guide the user through the process.

Autofill passkeys

Early Access release. See Enable self-service features.

If you've enabled the Passkeys autofill option, users see their enrolled passkeys when they click the Username field on the sign-in page. Users can enroll a passkey in the Okta End-User DashboardSettingsSecurity MethodsSet up another Security Key or Biometric Authenticator.

If a passkey isn't displayed in the list, the user can select the option to use a different passkey and try again.

Security keys don't show up directly in the autofill list in the browser. The user must manually click the option to use a different passkey, insert their security key, and then follow the prompts.

When using a previously registered security key, if the user gets a message to try a different key, the user should remove the security key enrollment, and re-enroll it from the Okta End-User Dashboard. However, Okta doesn't recommend unenrolling a pre-registered security key.

Mac users may need an iCloud account to use biometric passkeys on Safari and Firefox.

Related topics

FIDO2 (WebAuthn) support and behavior

Phishing-resistant authenticator enrollment