This article discusses whether Okta FastPass can be selectively rolled out to a specific group of users, as they only encounter options for an “all or nothing” approach during enablement. To replicate this issue, navigate through the Okta FastPass settings and attempt to assign it to a specific subset of users, subsequently observing the limitation in customization options.

• Okta FastPass
• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)

When Okta FastPass is enabled, it becomes available to all end-users who have the Okta Verify authenticator available in the Enrollment policies that apply to them. The "Sign in with Okta FastPass" button is a global setting.

However, Admins can set up Authentication and Enrollment Policies that only require specific users/groups to enroll with Okta Verify (OTP, Push, and FastPass) as the required MFA, and deny enrollment for users/groups that do not need Okta Verify (OTP, Push, and FastPass) by denying access.

1. Enable Okta FastPass, which will make it initially available to all end-users.
   To enable: Go to Security > Authenticators > select Setup tab > click Actions under Okta Verify > Edit > under Verification Options, enable Okta FastPass (All Platforms).
    
   
   

2. Proceed to the policy settings and establish Authentication and Enrollment Policies. These policies will serve as the foundation for determining whether access is restricted or allowed.

   1. To set up an Enrollment Policy, go to Security > Authenticators > Enrollment tab. Create a Policy for specific FastPass Users/Groups that will only allow them to use Okta Verify (OTP, Push, and FastPass). 
       

   2. View details of an Authentication Policy:

• • • Option 1: Go to Applications > Applications > search for the specific App for which to create an Authentication Policy for Okta Verify (FastPass) > select the Authentication tab > view Policy Details.
    • Option 2: Go to Security > Authentication Policies > search and select the existing policy name created.  

2. 3. Create an Application Authentication Policy:

      1. Add Rule.

      2. Fill in the authentication settings. For example:

         1. User's group membership includes - Assign the specific group (for example, FastPass Users Group).
            
             

         2. User must authenticate with - Can be Possession Factor, Password + Any 1 Factor Type/ IdP, etc, (it depends on the company's security requirements) for as long as the Authentication methods show the "Okta Verify - FastPass" factor type.

         3. Authentication methods - Allow specific authentication methods: Okta Verify - FastPass.
            
             
            
            

3. Restrict User Access: Within the defined policies, designate the conditions and user groups authorized to use Okta FastPass. Tailor these settings to align with the organizational needs, ensuring that only the desired subset of users can enroll in and use Okta FastPass.
   If an Admin needs to deny users/groups using Okta Verify - FastPass as the MFA, a second policy can be created to disallow specific authentication methods. 
   
    
   

4. Upon configuring the restrictions, conduct tests with several users from different groups to validate that only the intended users can access and use Okta FastPass.

5. Conduct regular monitoring of the usage and modify the policies as necessary to cater to the evolving requirements of the organization.

    

Related References

• Enable Okta FastPass
• Create an authenticator enrollment policy