Configure a phishing-resistant onboarding flow

Limited Early Access release

The first part of the journey contains tasks for group management, authenticator setup, and policy configuration. Complete each task in order, and then go to the next step.

Before you begin

Ensure that User enumeration prevention is disabled. In the Admin Console, go to Security General User enumeration prevention. Clear the checkboxes for Authentication and Recovery, and then click Save.

Create groups for YubiKey users

  1. In the Admin Console, go to DirectoryGroups.

  2. Click Add group.
  3. Create two groups, and name them YubiKey 5 NFC and YubiKey 5C NFC.
  4. Click Save.

Configure the FIDO2 (WebAuthn) authenticator

  1. Go to SecurityAuthenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the FIDO2 (WebAuthn) tile.
  4. Set User verification to Preferred.
  5. Click Add.
  6. Optional. Add another phishing-resistant authenticator so that users can access their Okta account if they lose their YubiKey. See Okta FastPass.

Configure a global session policy

  1. Create a global session policy. In the Assign to Groups field, enter YubiKey 5 NFC and YubiKey 5C NFC.
  2. Add a global session policy rule. Set the following conditions.
    • Establish the user session with: Any factor used to meet the Authentication Policy requirements
    • Multifactor authentication (MFA): Required
    • Users will be prompted for MFA: At every sign in
  3. Move this policy to the top of the priority list.

Configure an authenticator enrollment policy

  1. Create an authenticator enrollment policy. Set the following conditions.

    • Assign to groups: YubiKey 5 NFC and YubiKey 5C NFC.
    • Eligible authenticators:
      • FIDO2 (WebAuthn): Required
      • Allowed authenticators: Any WebAuthn authenticators
      • Okta Verify: Required or optional
      • Disable all other authenticators.
  2. Configure an authenticator enrollment policy rule. Set the following conditions.
    • User is accessing: Okta and Applications. Select Any application that supports MFA enrollment.
    • Enrollment is: Allowed if required authenticators are missing
  3. Move this policy to the top of the priority list.

Configure an authentication policy

  1. Create an authentication policy.
  2. Add an authentication policy rule. Set the following conditions.
    • User's group membership includes: At least one of the following groups. Enter group names: YubiKey 5 NFC and YubiKey 5C NFC
    • User must authenticate with: Any 2 factor types
    • Possession factor constraints are: Phishing resistant
  3. Move this rule to the top of the priority list.
  4. On the Applications tab, click Add app.
  5. Add the Okta Dashboard app to the policy. Search for other apps you want to assign to the YubiKey users and add them to the policy.
  6. Click Close.

Configure a password policy

  1. Configure the password authenticator, and at step 3, select Add New Password Policy.
    • Add groups: YubiKey 5 NFC and YubiKey 5C NFC.
    • Keep the default options.
  2. Configure the password authenticator. Clear all options for User can perform self-service.
  3. Move the policy to the top of the priority list.

Next step

Set up YubiKey - Okta flow