<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Feature: Require Phishing-Resistant Authenticator to Enroll Additional Authenticators
Feb 4, 2026
Multi-Factor Authentication
Okta Identity Engine
Overview
Okta's platform provides the option to require that users authenticate themselves using a phishing-resistant authenticator before enrolling in additional authenticators. The term "phishing-resistant" pertains to an authentication method that does not involve sharing information, like passwords or OTPs, through text messages or authentication apps. Two examples of phishing-resistant authenticators are FIDO2 (WebAuthn) and Okta FastPass, which use secure authentication methods that do not create shareable information.
Applies To
  • Okta Identity Engine (OIE)
  • Multi-Factor Authentication (MFA)
Solution

To enable this feature, go to the Admin Dashboard > click on Settings > select Features > choose Require phishing-resistant authenticator to enroll additional authenticators.

Features


When enrollment policy restrictions prevent a user from enrolling in two authenticators that meet the assurance requirements, they will be unable to add more authenticators until they satisfy the necessary policy requirements. If this happens, the user may encounter an error message indicating that additional authentication methods cannot be added.
Sign in 
 

If a user is not registered with a phishing-resistant authenticator and the Require phishing-resistant authenticator to enroll additional authenticators feature is turned on for their organization, the user can still add more authenticators by using their current authenticators to verify their identity.

If a user does not already have a phishing-resistant authenticator enrolled and this feature is turned on, they will still be able to enroll in additional authenticators. However, they will need to enroll in two authenticators that meet the assurance requirements.

Another possible solution to the issue is to ensure that the time on the user's device is correct and that the time difference is not greater than one minute. This is based on findings from Okta's backend logs, which showed that the Issue time on request is greater than the current time on the server.

Related References

 

Recommended content

Still looking for help?
Loading
Feature: Require Phishing-Resistant Authenticator to Enroll Additional Authenticators