Configure FIDO2 keys for Desktop MFA for macOS

You can set up a FIDO2 (WebAuthn) authenticator to allow users to securely sign in to their macOS devices using a security key for user verification. An admin can register these keys for users or the user can register them in the End-User Dashboard. Yubico can also deliver them directly to new, onboarding users, pre-enrolled with the user's data and your org configuration.

Desktop MFA for macOS supports FIDO2 YubiKeys with or without a PIN or fingerprint. If you enable User Verification with Biometrics in your authentication policy, users can verify their identity with the FIDO2 key as long as you also enable User Verification in FIDO2 (WebAuthn) settings. To use YubiKeys with PINs and biometrics, set User Verification to Required in the FIDO2 (WebAuthn) authenticator settings and in your authentication policy. See Authentication policies.

Tasks

Set up the FIDO2 (WebAuthn) authenticator

To enable users to authenticate with a FIDO2 key, set up the FIDO2 (WebAuthn) authenticator in the Admin Console. If you already have the FIDO2 (WebAuthn) authenticator added, you can't add another. Ensure that the settings for the existing FIDO2 (WebAuthn) authenticator are appropriate for your org.

  1. In the Admin Console, go to Security Authenticators.

  2. Click Add authenticator.

  3. From the list of authenticators, click Add under FIDO2 (WebAuthn).

  4. On the General settings page, click Edit.

  5. Under Settings, use the dropdown menu to select a User verification method. Review the content below the setting to learn more about what each user verification type does. Required is recommended if you want the FIDO2 keys to require a PIN or biometrics for user authentication.

  6. Click Save.

After you set up the FIDO2 (WebAuthn), individually configure your users to use the keys. Users can also complete the registration themselves. See User registers a FIDO2 key

Configure FIDO2 keys

There are several ways you can prepare a FIDO2 key for your users:

  • Manually configure keys for users in the Admin Console.

  • Have users set up their own FIDO2 keys in the End-User Dashboard.

  • Use the pre-enrolled YubiKey workflow. See Set up YubiKey - Okta flow

Choose the registration method that works best for your org.

Register a FIDO2 key on behalf of users

  1. In the Admin Console, go to Directory People.
  2. Click a user to open their profile.
  3. Click More Actions and choose Enroll FIDO2 Security Key from the list.
  4. Insert the FIDO2 key into your computer and click Register.
  5. Follow the prompts until you receive confirmation that the FIDO2 key has been successfully registered to the user.
  6. Give the enrolled FIDO2 key to the appropriate user.

Admins are unable to set up biometrics on FIDO2 keys for users. A "push denied" message appears if User Verification with Biometrics is required in your authentication policy, and the user doesn't have User Verification enabled during mobile Okta Verify enrollment. The user sees this message when they select a verification factor. Users can change this setting in the Okta End-User Dashboard.

User registers a FIDO2 key

If a user receives a FIDO2 security key, they can register the key using the Okta End-User Dashboard. Encourage your users to set up the security key with biometrics for the most secure option.

  1. Sign in to the Okta End-User Dashboard with your Okta credentials.
  2. Click your name in the upper-right corner and select Settings.
  3. Under Security Methods, locate Security Key or Biometric Authenticator and click Set up another.
  4. Verify your identity with one of the presented options, and then click Set up.
  5. Follow the prompts to register the FIDO2 key to your Okta account.

After you successfully register, you can securely verify your identity by inserting the FIDO2 key in your macOS device and following the prompts on your screen.

Optional: Adjust USB Restriction Mode on Apple silicon devices

On computers with an Apple silicon chip running macOS Ventura and up, Apple has introduced a USB Restriction Mode setting that determines if new or unknown USB devices, including YubiKey and FIDO2 keys, are allowed to connect. By default, USB Restriction Mode is set to Ask for New Accessories. Changing this setting alters how your users can verify their identity using registered security keys.

The available settings for USB Restriction Mode are:

  • Ask Every Time: Users can't use a FIDO2 key unless one of the following items occurs:

    • The key was approved for connection within the last three days.

    • The key hasn't been removed from the computer.

    • The computer hasn't been rebooted since the key was approved for connection.

  • Ask for New Accessories: Users can't use a FIDO2 key unless the key was approved for connection within the last three days.

  • Automatically When Unlocked: Users can't use a FIDO2 key unless the key was approved for connection within the last three days.

  • Always: Users can use a FIDO2 key.

You can modify the USB Restriction Mode with your MDM. See USB Restriction Mode from Apple Support.

Next steps

Support your macOS Desktop MFA users