Phishing-resistant authentication
Phishing-resistant authentication detects and prevents the disclosure of sensitive authentication data to fake apps or websites. WebAuthn (FIDO 2) and Okta FastPass (which comes with Okta Verify) are phishing-resistant authenticators that prevent email, SMS, and social media phishing attacks. They can also reduce the impact of attacks when the device or network is already compromised.
Procedure
To ensure that users sign in with phishing-resistant factor types, follow these steps:
-
Set up WebAuthn (FIDO 2) or Okta Verify.
-
If you use Okta FastPass for iOS or macOS managed devices, configure an SSO extension profile.
-
Configure authenticator enrollment policies for Okta FastPass or WebAuthn. See Create an authenticator enrollment policy.
-
Configure authentication policies that require a phishing-resistant possession factor: WebAuthn (FIDO 2) or Okta FastPass. See Add an authentication policy rule.
User experience
When apps are protected by policies that require phishing resistance, users can sign in with Okta FastPass or WebAuthn. If Okta FastPass isn't supported, users are prompted to sign in with WebAuthn.
Authentication with Okta FastPass or WebAuthn is phishing resistant on all supported operating systems when users access their apps directly or from a supported browser. There are some restrictions:
- Some apps don't support Okta phishing-resistant authentication due to their WebView implementation. If users access this type of app and your authentication policy requires phishing resistance, authentication fails with an Access denied message.
- On macOS, configure an SSO extension to ensure that authentication with Okta FastPass in Safari is phishing resistant.
- For Universal Windows Platform apps, you must run a script to support phishing-resistant authentication.
If phishing attempts occur when users authenticate, the events are recorded in the System Log. A message, such as Okta FastPass declined phishing attempt, is logged.