Configure the Smart Card authenticator
Learn how to use the Smart Card authenticator. You can require users to authenticate with smart cards when they sign in to Okta or when they access an app.
Depending on the Security characteristics you select when configuring the Smart Card Identity Provider (IdP), this authenticator can fulfill the following factor types and method characteristics.
|
Security characteristics |
Factor type | Method characteristics |
|---|---|---|
| PIN-protected | Possession + Knowledge | Device-bound
Phishing-resistant User presence User verifying |
| Hardware-protected | Possession | Device-bound Hardware-protected Phishing-resistant User presence |
| Both PIN-protected and hardware-protected | Possession + Knowledge | Device-bound
Hardware-protected Phishing-resistant User presence User verifying |
| None (software-based certificate) | Possession + Knowledge | Device-bound
Phishing-resistant User presence |
Before you begin
Create at least one Smart Card IdP.
- See Add a Smart Card IdP.
- In Security characteristics, select the PIN protected or Hardware protected options according to the configuration of the smart cards that your org uses.
Add Smart Card as an authenticator
- In the Admin Console, go to .
- On the Setup tab, click Add authenticator.
- Click Add on the Smart Card Authenticator tile.
- From the Smart Card Identity Provider (IdP) dropdown, select all IdPs that you want to associate with this authenticator.
- Click Save.
Configure policies to use Smart Card as an authenticator
-
Create an authenticator enrollment policyfor the Smart Card authenticator. Select an Eligible authenticators option in the policy for the authenticator.
-
Configure an authenticator enrollment policy rule to define what your users access with this authenticator. Select an option in the User is accessing section of the rule.
- Create an authentication policy for each app that you want to protect with smart cards.
- Add an authentication policy rule. Select the options that apply to your configuration in the Possession factor constraints section.
End-user experience
There are multiple ways users can enroll their Smart Card as an authenticator:
- During the sign-in process, they click the Sign-in with PIV button and follow the instructions to enroll their Smart Card.
- During the step-up authentication, they identify themselves in the Sign-In Widget and get prompted to enroll their Smart Card.
- They enroll their Smart Card through End-User Dashboard > Settings.
Enroll multiple Smart Cards
Users can have multiple active Smart Cards at a time. They can enroll different Smart Cards for different IdPs associated with the Smart Card authenticator.
If they lose their smart card, they must remove it from their account and enroll a new one.
Use Smart Card for verification
You can require smart cards when users sign in or access a protected app. They must perform the Smart Card verification within the time period you've configured. If they don't, the operation times out and they must authenticate again.
Sign in with Smart Card or Okta FastPass
Early Access release. See Manage Early Access and Beta features.
Currently, if you configured both the Sign in with Okta FastPass button and Smart Card as an authenticator, users only see the Smart Card option when they sign in. By enabling this feature, you can make both options available for users during the sign-in process.