Phishing-resistant authenticator enrollment
You can increase the security of your org by configuring phishing-resistant authenticator enrollment.
Before you begin
-
Configure phishing-resistant authenticators. See Phishing-resistant authentication. To ensure that users enroll in Okta Verify in a phishing-resistant manner, select Higher security methods when you configure Okta Verify. With this option, users can't enroll with a QR code, email, or SMS link. See Configure Okta Verify options.
-
Configure authenticator enrollments to require a pre-existing phishing-resistant authenticator. To turn on this feature, go to and click the toggle for Require phishing-resistant authenticator to enroll additional authenticators. With this Early Access feature enabled, users must authenticate with FIDO2 (WebAuthn) or Okta FastPass before they enroll in other authenticators.
End-user experience
Users have no phishing-resistant authenticator
Users are prompted to enroll in a phishing-resistant authenticator when they enroll in multifactor authentication or the next time they sign in to Okta. If users add another authenticator later, they must authenticate with the phishing-resistant authenticator first.
If a user hasn't enrolled in a phishing-resistant authenticator, they can enroll in any authenticators that satisfy assurance requirements defined in the authenticator enrollment policy.
Users have at least one phishing-resistant authenticator
-
Users can use Okta FastPass to enroll in another authenticator (such as FIDO2 (WebAuthn) or hardware key) on the same device. They can also use the Okta Verify app to enroll other devices by using the Add account to another device option. See the end-user documentation for Android, iOS, macOS, and Windows devices.
-
Users can plug a previously enrolled YubiKey that supports FIDO2 into any device and then enroll in FIDO2 (WebAuthn) or Okta FastPass on that device.
-
If a user has a device-bound authenticator such as FIDO2 (WebAuthn), they can use it to enroll in Okta FastPass on the same device. They can then use the Add account to another device option in Okta Verify to enroll other devices.