Phishing-resistant authentication
Phishing-resistant authentication detects and prevents the disclosure of sensitive authentication data to fake apps or websites. FIDO2 (WebAuthn) and Okta FastPass (which comes with Okta Verify) are phishing-resistant authenticators that prevent email, SMS, and social media phishing attacks. They can also reduce the impact of attacks when the device or network is already compromised.
Procedure
To ensure that users sign in with phishing-resistant factor types, follow these steps:
-
Set up FIDO2 (WebAuthn) or Okta Verify.
-
If you use Okta FastPass for iOS or macOS managed devices, configure an SSO extension profile.
-
Configure authenticator enrollment policies for Okta FastPass or FIDO2 (WebAuthn). See Create an authenticator enrollment policy.
-
Configure authentication policies that require a phishing-resistant possession factor: FIDO2 (WebAuthn) or Okta FastPass. See Add an authentication policy rule.
User experience
When apps are protected by policies that require phishing resistance, users can sign in with Okta FastPass or FIDO2 (WebAuthn). If Okta FastPass isn't supported, users are prompted to sign in with FIDO2 (WebAuthn).
Authentication with Okta FastPass or FIDO2 (WebAuthn) is phishing resistant on all supported operating systems when users access their apps directly or from a supported browser. There are some restrictions:
- Some apps don't support Okta phishing-resistant authentication due to their WebView implementation. If users access this type of app and your authentication policy requires phishing resistance, authentication fails with an Access denied message.
- On macOS, configure an SSO extension to ensure that authentication with Okta FastPass in Safari is phishing resistant.
- For Universal Windows Platform apps, you must run a script to support phishing-resistant authentication.
If phishing attempts occur when users authenticate, the events are recorded in the System Log. A message, such as Okta FastPass declined phishing attempt, is logged.