Review and manage FIDO MDS and custom authenticators

Search the FIDO Metadata Service (MDS) Authenticator Attestation Global Unique Identifier (AAGUID) list to see which authenticators you can use with Okta. The lists display the AAGUID number for each authenticator, its type, FIPS compliance status, and hardware protection status. They help you identify the authenticators that are compatible with your environment, provide the protection features you require, and comply with your security standards.

If your authenticator doesn't appear in the FIDO MDS AAGUID list, you can add it to the custom AAGUID list. When you add an entry to the custom AAGUID list that's already in the FIDO MDS AAGUID list, the custom entry overrides the FIDO MDS entry.

You can download the list from the FIDO Alliance web site. See FIDO Alliance Metadata Service. You can only view the FIDO MDS AAGUID and custom AAGUID lists in Okta after you've added the Passkeys (FIDO2 WebAuthn) authenticator.

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Actions in the Passkeys (FIDO2 WebAuthn) row.
  3. Select AAGUID list.
  4. To look up an Okta-compatible authenticator, enter an authenticator name or an AAGUID number in the Search field in the FIDO MDS AAGUID list section. Enter the same criteria in the Search field of the Custom AAGUID section if it doesn't appear in the FIDO MDS AAGUID list.
  5. If your authenticator doesn't appear in either of the lists, click Add custom AAGUID. Complete these fields:
    • Name: Enter a name for your custom authenticator.
    • AAGUID: Enter the AAGUID number for your custom authenticator.
    • Enable attestation with an attestation validation certificate: Select this option to use certificate-based attestation. If you upload a certificate here, Okta places your certificate on the user's custom authenticator. If you don't upload a certificate, more options appear:
      • Upload certificate: Drag and drop your attestation validation certificate into the upload area, or click Upload file and then select the certificate from the file browser.
      • Characteristics: Select the characteristics that apply to your custom authenticator (Hardware protected, FIPS compliant, and Roaming authenticator).
  6. Click Save.
  7. To edit or delete a custom authenticator, click its Actions dropdown menu. Select Edit or Delete. If the custom AAGUID is used in a WebAuthn authenticator group, you must remove it from the group before you can delete it.

Enroll a FIDO2 security key for a user

You can enroll a security key on behalf of a user whose name appears in the Okta directory. This enables you to provision security keys, along with laptops and mobile phones, as part of onboarding employees.

  1. In the Admin Console, go to DirectoryPeople.

  2. Enter the user's name in the search field, and then click Enter. Or, click Show all users, find the user in the list, and click the user's name.
  3. In the More Actions menu, select Enroll FIDO2 Security Key.
  4. Click Register. The Enroll WebAuthn Security page appears.
  5. If your browser displays the Create a passkey to sign in to <org name>? prompt click Cancel to return to the Enroll WebAuthn Security page.
  6. Follow the prompts in your browser.
  7. When the Allow this site to see your security key? prompt appears, click Allow.
  8. Click Close or Register another.