Phishing-resistant authenticator enrollment

You can increase the security of your org by configuring phishing-resistant authenticator enrollment.

Before you begin

  • Configure phishing-resistant authenticators. See Phishing-resistant authentication. To ensure that users enroll in Okta Verify in a phishing-resistant manner, select Higher security methods when you configure Okta Verify. With this option, users can't enroll with a QR code, email, or SMS link. See Configure Okta Verify options.

  • Configure authenticator enrollments to require a pre-existing phishing-resistant authenticator. To turn on this feature, go to Admin Console Settings and click the toggle for Require phishing-resistant authenticator to enroll additional authenticators. With this Early Access feature enabled, users must authenticate with FIDO2 WebAuthn or Okta FastPass before they enroll in additional authenticators.

End-user experience

Users have no phishing-resistant authenticator

Users are prompted to enroll in a phishing-resistant authenticator when they enroll in multifactor authentication or the next time they sign in to Okta. If users add another authenticator later, they must authenticate with the phishing-resistant authenticator first.

If a user hasn’t enrolled in a phishing-resistant authenticator, they can enroll in any authenticators that satisfy assurance requirements defined in the authenticator enrollment policy.

Users have at least one phishing-resistant authenticator

  • If a user has Okta FastPass set up on their device, they can use it to enroll in another authenticator (such as WebAuthn or hardware key) on the same device. They can also use the Okta Verify application to enroll other devices by using the Add account to another device option. See the end-user documentation for Android, iOS, macOS, and Windows devices.

  • If a user is enrolled in a roaming authenticator such as FIDO 2 YubiKey, they can plug it into any device and then enroll in WebAuthn or Okta FastPass on that device.

  • If a user has a device-bound authenticator such as WebAuthn, they can use it to enroll in Okta FastPass on the same device. They can then use the Add account to another device option in Okta Verify to enroll other devices.

Related topics

Configure the FIDO2 (WebAuthn) authenticator

Okta FastPass

Multifactor authentication