Passkeys are an implementation of the FIDO2 standard in which the FIDO credential may exist on multiple devices, such as phones, tablets, or laptops, and across multiple operating system platforms. Passkeys enable WebAuthn credentials to be backed up and synchronized across devices. This preserves the strong key-based/non-fishable authentication model of WebAuthn/FIDO while trading off some enterprise security features, such as device-bound keys and attestations that are available today with some WebAuthn Authenticators. Users no longer need to carry their security key or phone to pass Multi-Factor Authentication challenges. Instead, they can use any device they have already enrolled to authenticate themselves because their credential is not confined to a single device. In managed-device environments, users may be able to enroll unmanaged devices to a passkey credential and use such devices to gain access to corporate systems.

For More information, see Okta's Passkey Primer or read more about Passkeys on the FIDO Alliance's Website.

• iOS 16+
• iWatch iOS 6+
• macOS Ventura +
• iPad

Okta Passkey Management feature

Feature Name: Block synced Passkeys for FIDO2 (WebAuthn) Authenticators

This Okta Passkeys Management feature, Block synced Passkeys for FIDO2 (WebAuthn) Authenticators, allows admins to attempt blocking Passkeys for new enrollments at an organizational level. This Self-Service feature is available both in Okta Classic and the Okta Identity Engine and can be accessed from the Settings page in the Admin Dashboard. When enabled by an administrator, this feature will prohibit a user from enrolling with a multi-device FIDO credential, such as Passkeys, and preempt any potential risks of unmanaged and insecure devices accessing sensitive applications.
 

NOTE:

• This does not affect existing enrollments, which will continue to work according to their previous configuration. Okta is working on enhancing this feature so it can also be applied to application sign-on policies in the future.
• When blocking the use of passkeys in the org, users running macOS Monterey cannot enroll in Touch ID using the Safari browser.
• When passkeys are blocked in the org, iPhone users running iOS 16 on their devices cannot use the FIDO2 (WebAuthn) authenticator. Okta recommends enabling Okta FastPass or security keys that support NFC or USB-C instead. Device enrollments running iOS 16 are supported after passkeys are blocked for non-passkey uses.

Frequently Asked Questions

Does this affect Classic or OIE?

This Self-Service feature, Block synced Passkeys for FIDO2 (WebAuthn) Authenticators, is available in Classic and OIE from the Settings page in the Admin Dashboard. It is also available in the MFA/AMFA SKU, just like WebAuthn.

What can users do now that they could not before?

With this feature, they can now block all WebAuthn Authenticators that are Multi-Device (for example, Passkeys) and also any authenticator that does not have any attestation (as they could also be multi-device). Please note that this means Safari TouchID on Monterey OS and Chrome on iOS 16 will be blocked for new enrollments as well.

Does this block FIDO2 WebAuthn Authenticator Enrollments or Authentication as well?

For now, this FF specifically blocks new enrollments of FIDO2 WebAuthn Authenticator only. This does not impact existing enrollments. In the future, Okta plans to block on Authentication as well as on App Sign On Policy.

What happens to end users who are currently using WebAuthn?

This feature only impacts new enrollments. Thus existing WebAuthn enrollments are not impacted. Users can continue to use their current WebAuthn authenticators without any change. This also means that, just in case they were enrolled in WebAuthn Passkeys, those will not be blocked. In the future, Okta will be enhancing this so that Passkey blocking can be controlled by ASOP using the h/w protected checkbox. Once that is clicked, Okta expects all multi-device credentials like passkeys to be filtered out from sign-on. The date for this work is TBD.  

Is it possible to use the current way of authentication and Mac/iOS devices?

Customers will be forced to make choices if they rely on WebAuthn with Touch ID/Face ID as their core solution to MFA. The self-service EA feature will not solve the dilemma of allowing keys or preventing these devices from using the platform authenticator going forward. For desktop, it may be OK to require Chrome and not support Safari. This is not feasible for iOS devices.

What about other browsers, such as Chrome, etc?

For new enrollments, all browsers (including Chrome) on iOS 16 will be blocked. There should be no impact on other operating systems.

How does an Admin know if a user has enrolled a passkey?

At this point, there is no way to figure this out. The best approach is to block Passkeys altogether, and if on OIE, FastPass may be a better alternative.

Should this feature be used to block passkeys?

Passkeys are a type of FIDO2 credential; hence, they are phishing-resistant and thus still better than passwords. However, if the enterprise has policies around using hardware-protected and device-bound credentials, then block Passkeys as they are multi-device credentials and can be exported from one device to another.

What are the potential disadvantages of allowing users to enroll in Passkeys?

Passkeys are multi-device and can be exported from secure, managed devices to potentially insecure, unmanaged devices. If the organization has access policies based on hardware-protected and device-bound credentials, then it runs the risk of exposing sensitive applications to unmanaged devices that might not conform to the device security posture specified by the administrator. This can lead to security breaches.