Set up FIDO2 (WebAuthn) authenticator and phishing-resistant policies

Early Access release. See Enable self-service features.

This set of tasks explains how to configure FIDO2 (WebAuthn) authenticator and policies that require phishing-resistant authenticators.

Before you begin

  • Disable User enumeration prevention. In the Admin Console, go to SecurityGeneralUser enumeration prevention. Clear the checkboxes for Authentication and Recovery, and then click Save.
  • Configure the FIDO2 (WebAuthn) authenticator. Set User verification to Preferred.
  • Optional. Okta recommends adding another phishing-resistant authenticator such as Okta FastPass. This ensures that users can access their Okta account if they lose their YubiKey.

Create groups for new and existing users

  1. In the Admin Console, go to DirectoryGroups.

  2. Click Add group.
  3. Create groups for new and existing users, and name them accordingly. For example, New Employees and Existing Employees.
  4. Click Save.

Assign the phishing-resistant policies that you create to these groups.

Configure a global session policy

  1. Create a global session policy. Assign it to the new and existing user groups.
  2. Add a global session policy rule. Set the following conditions:
    • Establish the user session with: Any factor used to meet the Authentication Policy requirements
    • Multifactor authentication (MFA): Required
    • Users will be prompted for MFA: At every sign in
  3. Move this policy to the top of the priority list.

Configure an authenticator enrollment policy

For existing users, ensure the authenticator enrollment policy applicable to them is set to FIDO2 (WebAuthn): Required or Optional.

For new users, complete the following steps:

  1. Create an authenticator enrollment policy. Assign it to the new and existing user groups.
  2. Set the following conditions for Authenticators:
    • FIDO2 (WebAuthn): Required
    • Allowed authenticators: Any WebAuthn authenticators
    • Okta Verify: Required or optional
    • Define whether other authenticators are Required, Optional, or Disabled as needed.
  3. Configure an authenticator enrollment policy rule. Set the following conditions.
    • User is accessing: Okta and Applications. Select Any application that supports MFA enrollment.
    • Enrollment is: Allowed if required authenticators are missing
  4. Move this policy to the top of the priority list.

Configure an authentication policy for Okta Dashboard

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Click the Okta Dashboard.
  3. Add an authentication policy rule. Set the following conditions:
    • User's group membership includes: At least one of the following groups. Enter the new and existing user groups.
    • User must authenticate with: Any 2 factor types
    • Possession factor constraints are: Phishing resistant, Require user interaction, Require PIN, or biometric user verification
  4. Move this rule to the top of the priority list.
  5. On the Applications tab, click Add app.
  6. Add the Okta Dashboard app to the policy. Search for other apps you want to assign to these users and add them to the policy.
  7. Click Close.

Next step

Set up Okta Workflows for YubiKey shipment