Require phishing-resistant authenticator to enroll additional authenticators

Okta allows you to require users to authenticate themselves using a phishing-resistant authenticator before they enroll themselves in additional authenticators.

Phishing-resistant means there's no information that a user can give to someone else, such as a password or a one-time password (OTP) in a text message or authentication app. FIDO2 (WebAuthn) and Okta FastPass are phishing-resistant authenticators because they use authentication methods that don't create shareable information.

If a user doesn't have a phishing-resistant authenticator enrolled and this feature is turned on, they may still enroll in additional authenticators. They must be enrolled in two authenticators that satisfy assurance requirements.

For more information on authenticators and their factor types and method characteristics, see Multifactor authentication and About MFA authenticators.

Require phishing-resistant authenticators for new MFA enrollments

When you perform this procedure, users are prompted during onboarding to Okta to enroll in the phishing-resistant authenticators first, before they can enroll in any other authenticators.

  1. Activate the FIDO2 (WebAuthn) authenticator. See Configure the FIDO2 (WebAuthn) authenticator for instructions.

  2. Activate the Okta Verify authenticator and enable Okta FastPass. See Configure the Okta Verify authenticator and Configure Okta Verify options for instructions.

  3. Create an authenticator enrollment policy. See Create an authenticator enrollment policy for instructions.

  4. In the Eligible authenticators list, select Required for the FIDO2 (WebAuthn) and/or Okta Verify authenticators.

  5. Configure an authentication policy rule. See Configure an authenticator enrollment policy rule for instructions.

  6. In the Admin Console, go to SettingsFeatures.

  7. Click the toggle switch for Require phishing-resistant authenticator to enroll additional authenticators to turn it on.

End-user experience

Enroll in a phishing-resistant authenticator during onboarding to Okta

When this feature is turned on, users must enroll in a phishing-resistant authenticator when they onboard to Okta, enroll in MFA for the first time, or when they sign in to Okta.

They may then enroll in the other authenticators. Users must authenticate with the phishing-resistant authenticator when they enroll in the additional authenticators.

Okta recommends that users enroll a roaming authenticator, such as a FIDO2 (WebAuthn) security key, as their first phishing-resistant authenticator. This makes it possible to enroll additional laptops, desktops, and mobile devices, at a later time. If a user enrolls in Okta FastPass, they may only use this authenticator to enroll additional mobile devices, not laptops or desktops.

See Configure the FIDO2 (WebAuthn) authenticator and Okta FastPass for instructions on enrolling in these authenticators.

Enroll in MFA on another laptop or desktop

When a user attempts to enroll in MFA on another device, the user may only use a security key or Okta FastPass to verify their identity on the other laptop or desktop. If they use a security key, it must be the same security key they used when they first enrolled in their phishing-resistant authenticator on their first device.

If a user doesn’t enroll in a roaming authenticator, they may not be able to complete enrollment on other devices, depending on the device type.

After they authenticate with their security key or Okta FastPass, Okta presents the other authenticators that their admin has enabled for them, and they enroll in their authenticators in the usual way.

For instructions on enrolling in authenticators, see Multifactor authentication, and select the authenticator you want to enroll in.

Enroll in Okta FastPass on a mobile device

This procedure describes how users enroll in Okta FastPass on a mobile device when this feature is turned on and when the user hasn’t enrolled a roaming authenticator for themselves.

  1. On your first device (usually your primary laptop or desktop), enroll in Okta FastPass during onboarding onto Okta. See Enable Okta FastPass for instructions.

  2. On the same device, sign in to the Okta Dashboard. Click your name and select Settings.

  3. In the Security Methods section, click Set up another for Okta Verify.

  4. Authenticate with Okta FastPass or FIDO2 (WebAuthn).

  5. On your mobile device, enroll in other authenticators as required. You are prompted to authenticate with your phishing-resistant authenticator before you can add the additional authenticators.

Considerations

  • If a user isn’t enrolled in a phishing-resistant authenticator and this feature is activated for their org, they can still enroll in additional authenticators using their existing authenticators to verify their identity.

  • If this feature is enabled for an org but the admin hasn’t activated the FIDO2 (WebAuthn) or Okta FastPass authenticators, users can still enroll in additional authenticators using their existing authenticators to verify their identity.

Related topics

Configure the FIDO2 (WebAuthn) authenticator

Okta FastPass

Multifactor authentication

About MFA authenticators