Docs

Guides

Blog

Tools

Using FIDO2 Security Keys with OKTA

Okta is a cloud-based identity and access management (IAM) platform that helps organizations securely manage user authentication and authorization for various applications and services. It provides tools for Single Sign-On (SSO), Multi-Factor Authentication (MFA), user lifecycle management,and API access control. Okta supports Token2 Fido2 keys for phishing-resistant passwordless authentication or as a Multi-Factor Authentication (MFA) method.
Classic and programmable tokens can be used with Okta; however, FIDO2 keys are recommended as more secure solution.

Requirements:

• An access to Okta Admin Dashboard.
• Admin access to enable security keys (not required if security keys are already enabled).
• Modern browser supporting security keys.
• A Token2 FIDO security key.

Enable 2FA Method

1. In the Admin Console, go to Security->Authenticators.




2. Click "Add authenticator".




3. Click 'Add' next to the 'FIDO2 (WebAuthn)' method.
4. Click 'Add' again to complete the process.

Enroll a FIDO2 (WebAuthn) security key for a user

After enabling the FIDO2 (WebAuthn) method, the security key can be enrolled:
a) By the user at the login window after entering their password:




b) By an admin through the admin panel on behalf of any user listed in the Okta Directory.
1. In the Admin Console, go to Directory->People.
2. Enter the user's name in the search field, and then click Enter. Or, click Show all users, find the user in the list, and click the user's name.
3. In the More Actions menu, select 'Enroll FIDO2 Security Key'.




4. Click 'Register' to continue.




5. The security key enrollment wizard will start. Insert the security key and click 'OK' to continue.




6. Then you need to press the button on the security key to complete registration. Note: Security keys differ in the exact instructions to activate them. Your key may require a tap or button press to activate registration.




7. Click 'OK' to complete the enrollment wizard.




8. You will be prompted that the passkey was added successfully.




Use a FIDO2 security key to log in

The security key is now ready to use with your OKTA service as a multi-factor authentication (MFA) method. After entering your email address and password, select "Security Key or Biometric Authenticator" from the available MFA methods.




Insert the security key and continue to successfully log in.