Configure the Smart Card authenticator

Learn how to use the Smart Card authenticator. You can require users to authenticate with smart cards when they sign in to Okta or when they access an app.

Depending on the Security characteristics you select when configuring the Smart Card Identity Provider (IdP), this authenticator can fulfill the following factor types and method characteristics.

Security characteristics

Factor type Method characteristics
PIN-protected Possession + Knowledge Device-bound


User presence

User verifying

Hardware-protected Possession Device-bound



User presence

Both PIN-protected and hardware-protected Possession + Knowledge Device-bound



User presence

User verifying

None (software-based certificate) Possession + Knowledge Device-bound


User presence

Before you begin

Create at least one Smart Card IdP.

  • See Add a Smart Card IdP.
  • In Security characteristics, select the PIN protected or Hardware protected options according to the configuration of the smart cards that your org uses.

Add Smart Card as an authenticator

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, click Add authenticator.
  3. Click Add on the Smart Card Authenticator tile.
  4. From the Smart Card Identity Provider (IdP) dropdown, select all IdPs that you want to associate with this authenticator.
  5. Click Save.

Configure policies to use Smart Card as an authenticator

  1. Create an authenticator enrollment policyfor the Smart Card authenticator. Select an Eligible authenticators option in the policy for the authenticator.

  2. Configure an authenticator enrollment policy rule to define what your users access with this authenticator. Select an option in the User is accessing section of the rule.

  3. Create an authentication policy for each app that you want to protect with smart cards.
  4. Add an authentication policy rule. Select the options that apply to your configuration in the Possession factor constraints section.

End-user experience

There are multiple ways users can enroll their Smart Card as an authenticator:

  1. During the sign-in process, they click the Sign-in with PIV button and follow the instructions to enroll their Smart Card.
  2. During the step-up authentication, they identify themselves in the Sign-In Widget and get prompted to enroll their Smart Card.
  3. They enroll their Smart Card through End-User Dashboard > Settings.

Enroll multiple Smart Cards

Users can have multiple active Smart Cards at a time. They can enroll different Smart Cards for different IdPs associated with the Smart Card authenticator.

If they lose their smart card, they must remove it from their account and enroll a new one.

Use Smart Card for verification

You can require smart cards when users sign in or access a protected app. They must perform the Smart Card verification within the time period you've configured. If they don't, the operation times out and they must authenticate again.

Sign in with Smart Card or Okta FastPass

Early Access release. See Manage Early Access and Beta features.

Currently, if you configured both the Sign in with Okta FastPass button and Smart Card as an authenticator, users only see the Smart Card option when they sign in. By enabling this feature, you can make both options available for users during the sign-in process.

Related topics

Multifactor authentication