<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Understanding Okta FastPass: Device Enrollment and Management
Oct 16, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview

This article explains the process and behavior a user experiences when performing device enrollment with Okta Verify. The enrollment process is necessary for a device to be registered.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Verify
  • Devices
  • Multi-factor Authentication (MFA)
Solution

When a user adds an account to Okta Verify, authentication is required. The user must provide a username, password, and an additional authenticator if required by the Global Session Policy. 

Upon successful authentication, a unique key is generated and stored on the device in either a hardware-backed keystore, such as the Trusted Platform Module, or in a software-backed keystore. Okta creates a device record in the Universal Directory, which associates the user with the device and the Okta Verify app instance. This device registration is viewable on the Directory > Devices page of the Okta Admin Console.

When a user accesses an Okta-managed application from the device, Okta checks the following: 

  • Okta Verify is installed. 
  • The device is registered. 
  • The device is managed by a Device Management solution.
  • Secure hardware is present. 
  • The Proof of Possession key is hardware-protected.

When deleting a device in Okta, deactivation must occur first. Upon deactivation, the device no longer has access to Okta's resources or any associated applications.

When a device is deactivated, the following actions occur:

  • All active sessions established on that device using Okta Verify are terminated. 
  • Active sessions established without Okta Verify are unaffected until the session ends. 
  • New sessions using Okta Verify cannot be established. 
  • Okta Verify authentication factors, such as Okta FastPass, Okta FastPass with biometrics, a temporary one-time password, and Push, cannot be used from the device. However, users can continue to use password, email, or WebAuthn authentication factors from the device. 
  • Users cannot add or remove accounts from Okta Verify on the device.
  • Enrolled factors on the device are deactivated, and users must re-enroll them when the device is reactivated.
  • Device certificates are revoked for desktop devices.

If all rules in the authentication policy that protect a resource require devices to be registered, a user on a deactivated device is denied access to that resource, regardless of the factors they have enrolled. If the policy includes rules that allow access from unregistered devices, an end user on a deactivated device might be able to access the resource, but not by using Okta FastPass.

Recommended content

Still looking for help?
Loading
Understanding Okta FastPass: Device Enrollment and Management