When enabling the FIDO2 Web Authentication (WebAuthn) factor on the *.okta.com URL, access to the organization will only be granted through that URL. On the other hand, if the FIDO2 (WebAuthn) factor is set up using a custom URL for the Okta organization, access will only be permitted via that custom URL.

• Multi-Factor Authentication (MFA)

• Custom Domain

To use both URLs, it is necessary to enroll the WebAuthn authenticator twice: once for the custom domain and once for the default Okta domain. It is required to specify the Okta organization domain, a custom domain, or a registrable suffix of a custom domain. Once this configuration is complete, users will be able to authenticate using passkeys or security keys across the designated domain and all associated sub-domains.

Related References

• FIDO2 (WebAuthn) - Okta Classic Engine
• FIDO2 (WebAuthn) - Okta Identity Engine
• Register FIDO2 (WebAuthN) Keys under both Custom Domain URL and Okta Org URL
• FIDO2 (WebAuthn) Authenticator Has to Be Enrolled in Every Browser
• Configure the FIDO2 (WebAuthn) authenticator