When an Application/Authentication policy is set to Two-Factor Authentication (2FA), the user will need one possession-based factor and one biometric factor to sign in without a password.
- Two-Factor Authentication (2FA)
The user needs one possession-based and one biometric factor to sign in without a password.
The Any 2 factor types option requires the user to authenticate with two authenticators from two of the following factor types:
-
Knowledge-based/Biometric: Something the user knows/Something the user is
-
Possession: Something the user has.
These factors can be hardware-protected, device-bound, or phishing-resistant. This can be seen in the Security > Authenticators > Characteristics table.
Knowledge-based authenticators include Password and Security Questions. However, Security Question can only be used for MFA if the user has an enrolled password. Therefore, knowledge-based authenticators can’t be used to satisfy MFA requirements for passwordless sign-in. Hence, the user needs one possession-based and one biometric factor to sign in without a password.
There are two methods to set up two-factor authentication for a passwordless sign-in experience:
-
Okta Verify or WebAuthn (FIDO2)
While there are several possession-based factors, options for biometric factors only include Okta Verify and WebAuthn (FIDO2). However, when biometrics are enabled for Okta Verify or WebAuthn, either of them alone satisfies both the Possession and Biometric factor type requirements for 2FA. Therefore, the user is not prompted for any more factor types.
Thus, to configure two-factor authentication for passwordless sign-in, either Okta Verify with Push Notification or WebAuthn with User verification set to Required. When user verification is required, the user must enable biometrics during the factor enrollment. This adds a Biometric component to the authenticator.
For example, if a user is responding to an authentication attempt with Okta Verify on an iPhone and user verification is required, a FaceID check is performed before the user is allowed to access Okta Verify to answer a challenge.
Okta Verify with TOTP, even when user verification is required, is considered only a Possession factor and alone doesn’t satisfy 2FA requirements. Okta Verify Push Notification when user verification is required counts as both Possession and Biometric factors and alone satisfies 2FA requirements if the user provides biometrics.
To set up Okta Verify, see Configure the Okta Verify authenticator.
To set up WebAuthn, see Configure a FIDO2 (WebAuthn) authenticator.
-
Okta FastPass
Okta FastPass is a device-specific configuration for Okta Verify. It can also be used to enable passwordless sign-in with two-factor authentication. However, in this case, Okta Verify must be installed on the device the user is signing into.
For an ordinary Okta Verify Push challenge, the Okta Verify application need not be installed on the device the user is signing into. For example, Okta Verify installed on a cell phone may be used to answer a challenge from the desktop.
However, this is not possible when using Okta FastPass. To be able to sign into the desktop using Okta FastPass, Okta Verify must be installed on the desktop.
To set up Okta FastPass, see Configure Okta FastPass.
