Biometric user verification in authentication policies

Early Access release. See Enable self-service features.

When you add an authentication policy rule, you can restrict the use of passcode and require biometrics for user verification.

For the AND Possession factor constraints are setting, you can select one of the following options for Require user interaction:

• Any interaction: If you select this option, and the authentication policy requires a possession factor, Okta Verify may perform certificate-based authentication. This allows users to access the resource without proving that they're physically present. You can't use a security question as an additional factor if this option isn't selected.

• Require device passcode or biometric user verification: This option requires users to enter a device passcode or use biometrics to verify their identity. When you select this option, users must verify their identity with one of the following authenticators that proves user presence:

  • Okta Verify with Push
  • FIDO2 (WebAuthn)
  • Okta FastPass
  • Custom Authenticator
  • Smart Card (with PIN)

  Configure multiple authenticators to prevent users from being locked out and ensure that new enrollments in these authenticators satisfy the user verification requirement.

  Okta also recommends that you require user enrollment in the authenticators that satisfy user verification. See Create an authenticator enrollment policy. In the Authenticators section, set each of your user presence authenticators to Required.

  If a user is already enrolled in an authenticator but didn't activate a user verification option in it, such as enabling facial or fingerprint scanning in Okta Verify, they can't authenticate. Users must reset these enrollments and replace them with new ones, or activate push notifications and biometric verification in Okta Verify.

• Require biometric user verification: This option requires users to authenticate with biometrics. They must use either Okta FastPass or Okta Verify with Push on Android, iOS, and macOS.

  According to Windows design, biometrics and PIN are equivalent Windows Hello options. Therefore, when this option is enabled, authentication fails for Windows users who use Windows Hello PIN. Set up another rule for Windows users that allows them to authenticate using an alternate method.

Related topics

User experience according to Okta Verify user verification settings