Customize the Passkeys (FIDO2 WebAuthn) relying party ID domain

A relying party (RP) ID represents the domain that passkeys and security keys can authenticate with. Okta lets you customize the RP ID domain. You can specify your Okta org domain, your custom domain, or a registrable suffix of a custom domain. Users can then authenticate with their passkeys or security keys in the domain and all of its subdomains. This helps you achieve phishing-resistant authentication across all of your domains. It also helps avoid the need to issue multiple passkeys or security keys to each user for each domain they access.

See Configure a custom domain and Customize domain and email address.

When you activate a new or changed RP ID, Okta invalidates all existing Passkeys (FIDO2 WebAuthn) authenticators (biometrics, passkeys, and security keys) that aren't scoped to the customized RP ID domain. Users can't use them to authenticate.

  • Recommended action: Use the Okta API to reset Passkeys (FIDO2 WebAuthn) authenticator enrollments for your users. Okta then prompts users to re-enroll their Passkeys (FIDO2 WebAuthn) authenticators after you've reset their enrollments. See Unenroll a factor.
  • Optional action: Advise users to unenroll their existing Passkeys (FIDO2 WebAuthn) authenticators manually on the Settings page in the End-User Dashboard and then re-enroll them. See Okta End-User Settings. If users don't unenroll their Passkeys (FIDO2 WebAuthn) authenticators, they're prompted to authenticate with invalidated authenticators the next time they sign in. This may result in being unable to access their org. This option isn't available in orgs that don't allow users to access the Settings on the End-User Dashboard.

Create a relying party ID

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Actions in the Passkeys (FIDO2 WebAuthn) row.
  3. Click Edit.
  4. In the Relying Party ID field, enter your Okta org domain, a custom domain, or a registrable suffix of the custom domain.
  5. Click Check domain. If the domain is valid, Okta displays VERIFIED under the domain name. If you entered a registrable suffix of your custom domain, Okta displays TXT record information. Add this information to the TXT record in your domain registration through your domain registrar.

    Some domain registrars may take time to process and propagate the change to your domain registration. If it's taking longer than expected, contact your domain registrar for assistance.

  6. After the TXT record has been updated in your domain registration, click Check for TXT record to verify ownership of the domain.
  7. Click Save.
  8. To activate the RP ID, go to Activate and deactivate a relying party ID.

Activate and deactivate a relying party ID

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Actions in the Passkeys (FIDO2 WebAuthn) row.
  3. Click Edit.
  4. Toggle on or off the Customize Relying Party setting.
  5. Click Save.
  6. Click Save changes at the confirmation prompt.

Remove a domain

Removing a domain deletes the domain and turns the feature off. You can't edit an RP ID after you've saved it. To change it, remove the current domain and then create a new RP ID. If you change the RP ID, existing Passkeys (FIDO2 WebAuthn) enrollments don't work. See the note in Customize the Passkeys (FIDO2 WebAuthn) relying party ID domain for details.

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Actions in the Passkeys (FIDO2 WebAuthn) row.
  3. Click Edit.
  4. Click Remove domain. The domain is removed immediately.
  5. Click Save.
  6. Click Save changes at the confirmation prompt.