Configuring Okta for passwordless authentication

This guide provides step-by-step instructions on how to configure Okta to use DIGIPASS FX7 authenticators for multi-factor authentication (MFA) to ensure secure and efficient authentication for your users.

Before you begin

• Ensure that you have an Okta account with administrative access.

• Ensure that you have DIGIPASS FX7 authenticators ready for configuration.

Configuring passwordless authentication

Configuring Okta to allow authentication with FIDO2 passkeys includes the following steps:

1. Setting up the FIDO2 (WebAuthn) authenticator in Okta. The FIDO2 (WebAutn) authenticator can be used for authentication when users sign in to Okta.

2. Creating the required user groups. You can group users to simplify user management and access rights.

3. Configuring an authenticator enrollment policy. Authenticator enrollment policies specify how and when users can enroll authenticators.

4. Configuring an authentication policy to use FIDO2. Authentication policies specify the authentication factor requirements when users sig in.

5. Configuring a global session policy. Global session policies specify the context necessary for users to advance to the next authentication step and the actions to take in that cases.

Step 1: Set up FIDO2 (WebAuthn) authenticator in Okta

1. Sign in to the Okta Admin Console using your administrator credentials.

2. Navigate to Security > Authenticators.

3. Configure the FIDO2 (WebAuthn) authenticator:

   1. Switch to the Setup tab.

   2. Click Actions in the FIDO2 (WebAuthn) row.

   3. Click Edit.

   4. Under Settings, select Required from the User verification list. Now users will always be prompted for user verification when they enroll a new FIDO2 (WebAuth) authenticator.

   5. Click Save.

Step 2: Create required user groups

1. Sign in to the Okta Admin Console using your administrator credentials.

2. Navigate to Directory > Groups.

3. Click Add Group.

4. Type a name for the new group in the Name box.

5. Click Save.

6. Repeat these steps to create all the required groups for new and any existing users according to your needs, e.g., New Employees, Existing Employees, and so on.

Step 3: Configure authenticator enrollment policy

1. Sign in to the Okta Admin Console using your administrator credentials.

2. Navigate to Security > Authenticator Enrollment.

3. Click Add Policy.

4. Assign the policy to the user groups that you created in the previous steps.

5. Set the following conditions:

   • Email: Disabled

   • Okta Verify: Disabled

   • Password: Required

   • FIDO2 (WebAuthn): Required

6. Click Update Policy.

Step 4: Configure authentication policy for Okta Dashboard

1. Sign in to the Okta Admin Console using your administrator credentials.

2. Navigate to Security > Authentication Policies.

3. Click Okta Dashboard.

4. In the Rules tab, select Catch-all Rule and click Actions > Edit

   

5. Configure the following THEN conditions:

   • User must authenticate with: Any two factor types

   • Possession factor constraints are: Phishing resistant, Require user interaction

   • Authentication methods: Allow specific authentication methods and add the FIDO2 (WebAuthn) method

   • Click Save.

   • Move the rule to the top of the priority list.

   • Switch to the Applications tab, and click Add App.

   • Add the Okta Dashboard app to the policy.

   • Search for other apps that you want to assign to these users and add them to the policy.

Step 5: Configure global session policy

1. Sign in to the Okta Admin Console using your administrator credentials.

2. Navigate to Security > Global Session Policies.

3. Click the Pencil icon next to Default Rule.

4. Edit the global session policy rule with the following conditions:

   • Establish the user session with: Any factor used to meet the authentication policy requirements

   • Multifactor authentication (MFA): Required

   • Users will be prompted for MFA: At every sign-in

5. Click Update Rule.

6. Move the policy to the top of the priority list.