Phishing resistant authentication
Phishing-resistant authentication detects and prevents the disclosure of sensitive authentication data to fake applications or websites. WebAuthn (FIDO 2) and Okta FastPass (a verification option in Okta Verify) are phishing-resistant authenticators that prevent email, SMS, and social media phishing attacks. They don’t protect against attacks when the computer or network is already compromised.
Workflow
To ensure that users sign in with phishing-resistant factor types, follow these steps:
-
Set up WebAuthn (FIDO 2) and Okta Verify.
-
Configure authentication policy rules that require a phishing-resistant possession factor: WebAuthn (FIDO 2) or Okta FastPass, which comes with Okta Verify.
-
If you use Okta FastPass for iOS or macOS managed devices, configure an SSO extension profile.
User experience
If phishing attempts occur when users authenticate with Okta FastPass, the events are recorded in the System Log. A message flags the authentication failure: FastPass declined phishing attempt.
When users access resources protected by a policy that requires phishing resistance, they can authenticate with WebAuthn or Okta FastPass. If Okta FastPass isn't supported, users are prompted to sign in with WebAuthn.
Phishing-resistant authentication on managed devices
For managed devices, authentication with Okta FastPass or WebAuthn is phishing resistant on all supported operating systems when users access their apps directly or from a supported browser.
On managed Windows devices, authentication with Okta FastPass or WebAuthn is phishing resistant only if users access the apps from a supported browser.
| Operating system | Supported browsers | Native apps |
|---|---|---|
| Android | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| iOS | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| macOS | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| Windows | Okta FastPass or WebAuthn | No phishing-resistant authentication* |
* Access is denied.
Phishing-resistant authentication on unmanaged devices
For unmanaged devices, authentication with Okta FastPass or WebAuthn is phishing resistant on all supported operating systems when users access their apps from a supported browser.
If users access Android or iOS apps directly, authentication with Okta FastPass or WebAuthn is phishing resistant.
If users access macOS apps on unmanaged devices, they must authenticate with WebAuthn to satisfy the phishing-resistance requirement.
When users try to authenticate with Okta FastPass or WebAuthn to access Windows apps on unmanaged devices, the phishing resistance requirement isn't satisfied. Therefore, Okta denies access.
| Operating system | Supported browsers | Native apps |
|---|---|---|
| Android | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| iOS | Okta FastPass or WebAuthn | Okta FastPass or WebAuthn |
| macOS | Okta FastPass or WebAuthn | WebAuthn |
| Windows | Okta FastPass or WebAuthn | No phishing-resistant authentication* |
* Access is denied.