Configure the FIDO2 (WebAuthn) authenticator

The FIDO2 (WebAuthn) authenticator lets users authenticate with a security key or a biometric method, such as a fingerprint or face recognition. FIDO2 (WebAuthn) follows the FIDO2 Web Authentication (WebAuthn) standard. After you enable this authenticator, users can select it when they sign in to Okta or use it for extra authentication.

This authenticator provides several optional features to help you manage your FIDO2 (WebAuthn) implementation. You can search a list of authenticators that Okta works with to plan equipment purchases and designate which ones are allowed in your org. You can also create groups of authenticators and use them in policies, manage passkeys, and enroll FIDO2 security keys as part of onboarding users.

FIDO2 (WebAuthn) is a possession and biometric factor and fulfills the requirements for device-bound, phishing-resistant, and user presence characteristics. See Multifactor authentication.

Before you begin

Check the list of supported authenticators to see which ones you can use with Okta before you acquire or deploy any security keys in your environment.

Review browser requirements:

  • Update Chrome to the latest version. The FIDO2 (WebAuthn) authenticator isn't usable if the browser requires an update.
  • Don't use the Safari browser on Apple Macintosh computers running on the Apple M1 processor.
  • Encourage your end users to enroll the FIDO2 (WebAuthn) authenticator on multiple browsers and on multiple devices. Users with one enrollment in one browser can't authenticate if their browser blocks their security method or if they lose their device.
  • Security key enrollments aren't supported on Firefox.
  • Enrollments on Chrome aren't supported if User Verification is set to Discouraged and a PIN is set on the security key.

Review system requirements:

  • The FIDO2 (WebAuthn) authenticator isn't supported on MFA Credential Provider for Windows.
  • When you block the use of passkeys in your org, users running macOS Monterey can't enroll in Touch ID using the Safari browser.
  • When you block the use of passkeys in your org, iPhone users running iOS 16 on their devices can't use the FIDO2 (WebAuthn) authenticator. Okta recommends that you enable Okta FastPass or security keys that support NFC or USB-C instead. Enrollments of devices running iOS 16 are supported after you block the use of passkeys for non-passkey uses.
  • The FIDO2 (WebAuthn) authenticator only allows access to the org URL in which you add it. If you have multiple Okta org URLs, including custom URLs, you must add this authenticator in each of your org URLs.
  • Re-enroll any security keys that were added before November 30, 2022.

  • Enrollments using FIDO U2F aren't supported.

Add the FIDO2 (WebAuthn) authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the authenticator tile.

Configuration options

  1. Configure the following options:

    Field

    Value

    Discouraged Users aren't prompted for User Verification when they enroll a FIDO2 (WebAuthn) authenticator.
    Preferred Users are prompted for User Verification if they enroll a FIDO2 (WebAuthn) authenticator that supports it.
    Required Users are always prompted for User Verification when they enroll a FIDO2 (WebAuthn) authenticator.
  2. Click Add. The authenticator appears in the list on the Setup tab.

Add the FIDO2 (WebAuthn) authenticator to the authenticator enrollment policy

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.
  3. Add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the FIDO2 (WebAuthn) authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

View the list of Okta-recognized WebAuthn authenticators

Early Access release. See Manage Early Access and Beta features.

Search the list of authenticators to see which ones you can use with Okta, their type, FIPS compliance status, and hardware protection status. This list helps you identify which ones are compatible with your environment, identify those that provide the protection features you require, and comply with security standards. This list is provided by the FIDO Metadata Service.

You must add FIDO2 (WebAuthn) as an authenticator before you can view the list of Okta-recognized authenticators.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, click Actions in the FIDO2 (WebAuthn) row and then select Edit.
  3. Select the Authenticator settings tab.
  4. Click View list of Okta-recognized authenticators.
  5. Search for the authenticator name or the Authenticator Attestation Global Unique Identifier (AAGUID) number.
  6. If the authenticator you're searching for isn't in the list, click Learn to register an authenticator with FIDO.

Manage authenticator groups

Okta enables you to create groups of Okta-recognized FIDO2 (WebAuthn) authenticators and use them in policies. This simplifies the task of requiring your users to authenticate with specific FIDO2 (WebAuthn) authenticators when you create policies.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, click Actions in the FIDO2 (WebAuthn) row and then select Edit.
  3. Select the Authenticator settings tab.
  4. To add an authenticator group, click Add authenticator group and do the following:
    1. Enter the name of the group in Authenticator group name.
    2. Click in FIDO2 (WebAuthn) authenticators in this group and select the authenticator that you want to add to the group. You can also start entering the authenticator name or AAGUID number to filter the list. The authenticator appears in the field. Repeat this step for each authenticator that you want to add to this group.
  5. To edit or delete an authenticator group, find the authenticator in the Authenticator groups list and then click Actions. Do one of the following steps:
    1. Edit: Edit the name of the authenticator group, or click in FIDO2 (WebAuthn) authenticators in this group and add or remove authenticators from the list.
    2. Delete: Delete the authenticator group.

Delete an authenticator group from an authentication enrollment policy

Before you can delete an authenticator group, you must remove it from all authentication enrollment policies that include it. See Create an authenticator enrollment policy.

  1. In the Admin Console, go to SecurityAuthenticators.
  2. Click the Enrollment tab.
  3. Select a policy from the list and find the FIDO2 (WebAuthn) authenticator in the Authenticators list.
  4. If you see Authenticators from selected group list under FIDO2 (WebAuthn), click Edit. If you don’t see this option, it means that the policy isn’t using any authenticator groups.
  5. In the FIDO2 (WebAuthn) section, select one of these options:
    1. Any WebAuthn authenticators: Allow your users to authenticate with any FIDO2 (WebAuthn) authenticator.
    2. Authenticators from selected group list: Click the X beside the name of an authenticator in the list to delete it.
  6. Click Update policy.

Block the use of passkeys

Passkeys enable WebAuthn credentials to be backed up and synchronized across devices. Passkeys use the strong key-based/non-phishable authentication model of FIDO2 (WebAuthn). However, they don't have some enterprise security features, such as device-bound keys and attestations, which are available with some FIDO2 (WebAuthn) authenticators.

In managed-device environments, users may be able to enroll unmanaged devices with a passkey and use these devices to authenticate. Okta allows you to block the use of passkeys for new FIDO2 (WebAuthn) enrollments for your entire org. When this feature is turned on, users aren't able to enroll new, unmanaged devices using pre-registered passkeys.

  1. In the Admin Console, go to SettingsFeatures.

  2. Click the toggle switch for the Block Passkeys for FIDO2 (WebAuthn) Authenticators option to turn on the feature.

Enroll a FIDO2 security key for a user

You can enroll a security key on behalf of a user whose name appears in the Okta Directory. This enables you to provision security keys, along with laptops and mobile phones, as part of onboarding employees.

  1. In the Admin Console, go to DirectoryPeople.

  2. Enter the user's name in the search field, and then click Enter. Or, click Show all users, find the user in the list, and click the user's name.
  3. In the More Actions menu, select Enroll FIDO2 Security Key.
  4. Click Register. The Verify your identity prompt appears in your browser.
  5. Select the USB security key option and follow the prompts in your browser.
  6. When the Allow this site to see your security key? prompt appears, click Allow.
  7. Click Close or Register another.

End-user experience

If you require your users to enroll in the FIDO2 (WebAuthn) authenticator, Okta prompts them to enroll the next time they sign in. If they choose the biometric method, they’re prompted to do a fingerprint or facial recognition scan. If they choose the security key method, they’re prompted to insert their security key to complete the enrollment. Prompts guide the user through the process.

When users enroll a WebAuthn security key or biometric authenticator, they’re prompted to allow Okta to collect information about the authenticator they’re enrolling. Users must allow Okta to see the make and model of the security key. This allows each FIDO2 (WebAuthn) authenticator to appear by name in the Extra Verification section of the user's Settings page.

After enrollment, when a user signs in, they can select the FIDO2 (WebAuthn) security method and use it to authenticate. They’re prompted to do a fingerprint or facial recognition scan, or insert their security key. Prompts guide the user through the process.

Related topics

Configure the YubiKey OTP authenticator

FIDO2 (WebAuthn) compatibility

Phishing-resistant authenticator enrollment