Understanding Okta FastPass Device Enrollment and Management

Device enrollment with Okta Verify is necessary for a device to be registered. The enrollment process requires authentication and generates a unique key stored on the device. Deactivating a device terminates active sessions and revokes access to Okta resources.

• Okta Identity Engine (OIE)
• Okta Verify
• Devices
• Multi-factor Authentication (MFA)

How does the device enrollment process work?

When a user adds an account to Okta Verify, Okta requires authentication. The user provides a username, password, and an additional authenticator if required by the Global Session Policy.

Upon successful authentication, Okta generates a unique key and stores it on the device in either a hardware-backed keystore, such as the Trusted Platform Module, or in a software-backed keystore. Okta creates a device record in the Universal Directory, which associates the user with the device and the Okta Verify app instance. This device registration is viewable on the Directory > Devices page of the Okta Admin Console.

Okta verifies specific conditions during application access.

Okta verifies specific device conditions, including installation and hardware security, when a user accesses an Okta-managed application.

• Okta Verify is installed.
• The device is registered.
• The device is managed by a Device Management solution.
• Secure hardware is present.
• The Proof of Possession key is hardware-protected.

What occurs when a device is deactivated?

Okta requires device deactivation before deletion. Upon deactivation, the device loses access to Okta resources or any associated applications.

Several actions occur immediately when a device is deactivated in Okta, including terminating active sessions and revoking device certificates.

• Okta terminates all active sessions established on that device using Okta Verify.
• Active sessions established without Okta Verify remain unaffected until the session ends.
• Users cannot establish new sessions using Okta Verify.
• Okta Verify authentication factors, such as Okta FastPass, Okta FastPass with biometrics, a temporary one-time password, and Push, cannot be used from the device. However, users can continue to use password, email, or WebAuthn authentication factors from the device.
• Users cannot add or remove accounts from Okta Verify on the device.
• Okta deactivates enrolled factors on the device, and users must re-enroll them when the device is reactivated.
• Okta revokes desktop device certificates.

If all rules in the authentication policy that protect a resource require devices to be registered, Okta denies a user access on a deactivated device, regardless of enrolled factors. If the policy includes rules that allow access from unregistered devices, an end user on a deactivated device might still be able to access the resource, but not via Okta FastPass.