User experience according to Okta Verify user verification settings
By configuring Okta Verify user verification enrollment options, you define how users can enroll in Okta Verify or Okta FastPass.
Android devices
|
User task |
Preferred |
Required |
Required with biometrics only |
|---|---|---|---|
|
Enrollment |
Users are prompted to enable screen lock or biometric confirmation. They can skip this step and proceed with the Okta Verify enrollment. Enrolled users can change the user verification setting from the Okta Verify Account details page. In the Security section, they can turn Screen lock confirmation on or off. On Android 10, this option is called Biometric confirmation. |
New users are prompted to enable screen lock or biometric confirmation. They can't skip this step. If users don't have screen lock or biometrics set up on the device, Okta Verify guides them to the Settings app to complete this configuration first. Enrolled users who didn't enable user verification receive remediation messages on the Account details page in Okta Verify:
Enrolled users can't turn off screen lock or biometrics confirmation in Okta Verify. |
New users are prompted to enable biometric confirmation. They can't skip this step. If users don't have biometrics set up on the device, Okta Verify guides them to the Settings app to complete this configuration first. Devices without biometric capabilities can't be enrolled in Okta Verify. Users receive a Device not supported message. Enrolled users who didn't enable biometrics receive a remediation message on the Account details page in Okta Verify. For example, Enable biometric confirmation. Enrolled users can't turn off biometrics in Okta Verify. |
|
Authentication with Okta Verify Push |
Users are prompted for biometrics if they enabled this method during enrollment. |
Users are prompted for biometric confirmation. |
Users are prompted for biometric confirmation. |
|
Authentication with Okta FastPass |
Users are prompted for biometric or password confirmation according to the possession factor constraints you configured in the authentication policy. See Add an authentication policy rule.
|
||
|
Remediation |
If user verification settings in Okta Verify are out of sync with the device settings, users receive remediation messages during the authentication flow. For example, Enable biometric confirmation for Okta Verify. |
||
iOS devices
|
User task |
Preferred |
Required |
Required with biometrics only |
|---|---|---|---|
|
Enrollment |
Users are prompted to enable Touch ID, Face ID, or passcode confirmation. They can skip this step and proceed with the Okta Verify enrollment. Enrolled users can change the user verification setting from the Okta Verify Account Details page. For example, they can turn Face ID or Passcode Confirmation on or off. |
New users are prompted to enable Touch ID, Face ID, or passcode confirmation. They can't skip this step. If users don't have Touch ID, Face ID, or passcode set up on the device, Okta Verify guides them to the Settings app to complete this configuration first. Enrolled users who didn't enable user verification receive remediation messages on the Account Details page in Okta Verify:
Enrolled users can't turn off Face ID, Touch ID, or passcode confirmation in Okta Verify. |
New users are prompted to enable Touch ID or Face ID confirmation. They can't skip this step. If users don't have biometrics set up on the device, Okta Verify guides them to the Settings app to complete this configuration first. Devices without biometric capabilities can't be enrolled in Okta Verify. Users receive a Device not supported message. Enrolled users who didn't enable user verification receive remediation messages on the Account details page in Okta Verify. For example, Enable Face ID. Enrolled users can't turn off Face ID or Touch ID in Okta Verify. |
|
Authentication with Okta Verify Push |
Users are prompted for biometrics if they enabled this method during enrollment. |
Users are prompted for biometric confirmation. |
Users are prompted for biometric confirmation. |
|
Authentication with Okta FastPass |
Users are prompted for biometric or passcode confirmation according to the possession factor constraints you configured in the authentication policy. See Add an authentication policy rule.
|
||
|
Remediation |
If user verification settings in Okta Verify don't match your configurations or went out of sync with the device settings, users receive remediation messages during the authentication flow. For example, Enable Face ID or Passcode Confirmation for Okta Verify. |
||
macOS devices
|
User task |
Preferred |
Required |
Required with biometrics only |
|---|---|---|---|
|
Enrollment |
Users are prompted to enable Touch ID or password confirmation. They can skip this step and proceed with the Okta Verify enrollment. Enrolled users can change the user verification setting from the Okta Verify account details page. They can turn Touch ID confirmation or Password confirmation on or off. |
New users are prompted to enable Touch ID or password confirmation. They can't skip this step. If users don't have a Touch ID or password set up on the device, Okta Verify guides them to the Settings app to complete this configuration first. Enrolled users who didn't enable user verification receive remediation messages in Okta Verify:
Enrolled users can't turn off Touch ID or password confirmation in Okta Verify. |
New users are prompted to enable Touch ID confirmation. They can't skip this step. If users don't have biometrics set up on the device, Okta Verify guides them to the Settings app to complete this configuration first. Devices without biometric capabilities can't be enrolled in Okta Verify. Users receive a Device not supported message. Enrolled users who didn't enable user verification receive remediation messages on in Okta Verify. For example, Enable Touch ID confirmation. Enrolled users can't turn off Touch ID in Okta Verify. |
|
Authentication with Okta FastPass |
Users are prompted for biometric or password confirmation according to the possession factor constraints you configured in the authentication policy. See Add an authentication policy rule.
|
||
|
Remediation |
If user verification settings in Okta Verify don't match your configurations or went out of sync with the device settings, users receive remediation messages during the authentication flow. For example, Enable Touch ID or password confirmation for Okta Verify. |
||
Windows devices
|
User task |
Preferred |
Required / Required with biometrics only |
|
|---|---|---|---|
|
Enrollment |
Users are prompted to enable Windows Hello. They can skip this step and proceed with the Okta Verify enrollment. Enrolled users can change the user verification setting from the Okta Verify account details page. They can turn Windows Hello confirmation on or off. |
Due to Windows requirements, Required and Required with biometrics only triggers the same user experience. These options are equivalent. When new users enable Windows Hello, they enable face, fingerprint, and PIN verification. New users are prompted to enable Windows Hello confirmation. They can't skip this step. If users don't have Windows Hello set up on the device, Okta Verify guides them through setting it up. If the device doesn't support Windows Hello, it can't be enrolled in Okta Verify. Users receive a Device not supported message. Enrolled users who didn't enable Windows Hello receive remediation messages in Okta Verify. For example, Enable Windows Hello confirmation. Enrolled users can't turn off Windows Hello. |
|
|
Authentication with Okta FastPass |
Users are prompted for biometric or PIN confirmation according to the possession factor constraints you configured in the authentication policy. See Add an authentication policy rule.
|
||
|
Remediation |
If user verification settings in Okta Verify don't match your configurations or went out of sync with the device settings, users receive remediation messages during the authentication flow. For example, Enable Windows Hello confirmation or Windows Hello settings out of sync with Okta Verify. |
||
Biometric user verification in authentication policies
Early Access release. See Enable self-service features.
By enabling the Biometric user verification in authentication policies feature, you can configure policy rules that require users to authenticate with biometrics.
During authentication with Okta Verify Push or Okta FastPass, the user experience depends on several conditions:
- The possession factor constraints that you configure in the authentication policy. See Biometric user verification in authentication policies.
- The user verification enrollment settings that you configure for Okta Verify
- The user verification options selected by the user during enrollment
Authentication rule requires any interaction and Okta Verify enrollment is set to preferred user verification
|
Device passcode: not enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: enabled |
|---|---|---|
| Users authenticate by responding to an Okta Verify prompt. | Users authenticate with a device passcode. | Users authenticate with a device passcode. |
Authentication rule requires any interaction and Okta Verify enrollment is set to required with device passcode or biometrics
|
Device passcode: not enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: enabled |
|---|---|---|
|
Users authenticate with a device passcode. | Users authenticate with a device passcode. |
Authentication rule requires any interaction and Okta Verify enrollment is set to required with biometrics only
|
Device passcode: not enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: enabled |
|---|---|---|
|
|
|
Authentication rule requires device passcode or biometric user verification and Okta Verify enrollment is set to preferred user verification or required with device passcode or biometrics
|
Device passcode: not enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: enabled |
|---|---|---|
| During authentication users are prompted to set up a device passcode. | Users authenticate with a device passcode. | Users authenticate with a device passcode. |
Authentication rule requires device passcode or biometric user verification and Okta Verify enrollment is set to required with biometrics only
|
Device passcode: not enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: enabled |
|---|---|---|
|
|
|
Authentication rule requires biometric user verification
When you use this authentication condition, the user experience depends on the Okta Verify account state. The Okta Verify enrollment settings (Preferred user verification, Required, or Required with biometrics only) don't change the authentication flow.
|
Device passcode: not enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: not enabled |
Device passcode: enabled Biometrics: enabled |
|---|---|---|
|
|
|
* Due to Windows constraints, Okta can't prevent the use of Windows Hello PIN. Even if you configure Okta Verify enrollment to require biometrics, users who enable only Windows Hello PIN satisfy the enrollment requirement.
Best practices
When you configure authentication policies that require biometric user verification, create separate rules for exception cases:
-
Create a dedicated rule for devices that don't support biometrics.
-
Create a dedicated rule for Windows users and set the user interaction to Require device passcode or biometric user verification. If your policy rule requires biometric user verification, authentication fails for Windows users who set up only Windows Hello PIN during Okta Verify enrollment.