<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Security Knowledge - Phishing Resistant Factors
Jan 5, 2026
Multi-Factor Authentication
Overview

This article explains what Phishing-resistant factors are and the behavior of the Okta tenant when enabling a Phishing-resistant factor constraint.

Applies To
  • Okta Identity Engine (OIE)
  • Authentication Policies
  • Authenticators
  • Multi-Factor Authentication (MFA)
Cause

When the Phishing-resistant checkbox is activated within an authentication policy, users become obligated to enroll in a phishing-resistant factor, such as FIDO2(WebAuthn) or the Okta Verify FastPass method, during login.

However, the organization does not have FIDO2(WebAuthn) configured as "Required" within the Factor Enrollment Policies, and Okta FastPass is not enabled. This is because Okta Verify (Push/OTP and not FastPass) is the only factor the user is enrolled with.

Require the use of Phishing Resistant factors

 
Solution

The Phishing Resistant feature mandates users to provide possession factors for cryptographic verification of the sign-in server's origin. This requirement is met by:

  • FIDO 2 (WebAuthn) 
  • Okta FastPass option within Okta Verify

Therefore, if a user is exclusively enrolled in Okta Verify (Push/OTP, excluding FastPass), they will likely receive a prompt to enroll in a phishing-resistant factor. Consequently, the prompt to enroll in FIDO2 (WebAuthn) arises to address this need.
 

Security Knowledge

Credential theft remains the primary means attackers gain unauthorized access to systems. In 2021, over 80 percent of successful attacks on web applications stemmed from credential-based attacks such as phishing, credential stuffing, and password sprays.

Multi-Factor Authentication (MFA) remains the most effective form of protection against all forms of credential theft. MFA limits what an adversary can do with a stolen password and creates numerous detection opportunities when an adversary attempts to bypass it.

Okta offers end-to-end, identity-centric, phishing-resistant authentication that supports all user personas, from business partners to an extended workforce, and works at scale for organizations. These include:

  • Phishing resistance with Okta FastPass 
  • Support for FIDO 2 standards with WebAuthn 
  • Support for PIV smart cards

Okta’s solutions integrate with any device management tool to enforce phishing-resistant authentication flows. Okta also offers support for adding device checks to authentication policy rules for admins to establish minimum requirements for devices with access to systems and applications in the organization.

 

Related References

To learn more, see the multiple resources available at the Okta Support Center.

 

 

Recommended content

Still looking for help?
Loading
Okta Security Knowledge - Phishing Resistant Factors