Biometric user verification in authentication policies

Early Access release. See Enable self-service features.

When you add an authentication policy rule, you can require the use of a device passcode or biometrics for user verification.

These options appear in two places on the Add Rule page for authentication policies:

• In the AND Possession factor constraints are section under the Require user interaction option.

• In the AND User must authenticate with section, select Authentication method chain from the dropdown menu. Then, select Okta Verify - Push or Okta Verify - FastPass as the first authentication method.

  Okta requires user interaction for Okta Verify - Push or Okta Verify - FastPass. If it didn't, authentication completes without displaying anything to the user. The user therefore wouldn't be able to choose an authenticator and follow that Authentication method chain. They also wouldn't be able to choose Authentication method chains in the future.

Select an option:

• Any interaction: If you select this option, and the authentication policy requires a possession factor, Okta Verify may perform certificate-based authentication. This allows users to access the resource without proving that they're physically present. You can't use a security question as an additional factor if this option isn't selected.

• Require device passcode or biometric user verification: This option requires users to enter a device passcode or use biometrics to verify their identity. When you select this option, users must verify their identity with one of the following authenticators that proves user presence:

  • Okta Verify with Push
  • FIDO2 (WebAuthn)
  • Okta FastPass
  • Custom Authenticator
  • Smart Card (with PIN)

  Configure multiple authenticators to prevent users from being locked out and ensure that new enrollments in these authenticators satisfy the user verification requirement.

  Okta also recommends that you require user enrollment in the authenticators that satisfy user verification. See Create an authenticator enrollment policy. In the Authenticators section, set each of your user presence authenticators to Required.

  If a user didn't activate a user verification option in an authenticator they enrolled in, they can't authenticate. For example, they didn't enable facial or fingerprint scanning in Okta Verify. Users must reset these enrollments and replace them with new ones, or activate push notifications and biometric verification in Okta Verify.

• Require biometric user verification: This option requires users to authenticate with biometrics. They must use either Okta FastPass or Okta Verify with Push on Android, iOS, and macOS.

  According to Windows design, biometrics and PIN are equivalent Windows Hello options. Therefore, when this option is enabled, authentication fails for Windows users who use Windows Hello PIN. Set up another rule for Windows users that allows them to authenticate using an alternate method.

Related topics

User experience according to Okta Verify user verification settings