Many organizations try to launch three technologies at once—Okta Verify, FastPass, and Windows Hello for Business (WHfB). Because WHfB adoption lags behind biometric solutions on macOS and mobile, tying the projects together often slows everything down.
Passwordless authentication on Windows requires WHfB. Decoupling its rollout from Okta Verify + FastPass reduces support issues by avoiding the simultaneous setup of two interdependent systems.
- Okta Identity Engine
- Multi-Factor Authentication
- Windows 10/11
- Okta Verify 9.x+
Key concepts
| Component | Role in authentication | Common admin misconception |
| Okta Verify | Device-bound authenticator installed on Windows | Requires WHfB at enrollment (it does not) |
| FastPass | Okta’s phishing-resistant, device-based login flow | Needs WHfB biometrics on day 1 (it does not) |
| Windows Hello for Business | Provides the OS-native user-verification (UV) used by FastPass on Windows | Must be rolled out at the same time as Okta Verify (it should not) |
NOTE: WHfB always stores a PIN key—even if biometrics is enabled. Okta cannot distinguish whether the user unlocked WHfB with their face/fingerprint or PIN.
Recommended rollout sequence
| Phase | Goal | Admin actions | References |
| 1. Rollout WHfB | Get WHfB provisioned on corporate devices. |
| Microsoft docs → Configure WHfB using Intune |
| 2. Deploy Okta Verify and FastPass |
Let users enroll in Okta Verify and FastPass today, even if WHfB is not ready. Allow users to authenticate with a certificate-based check. |
|
Okta docs → Configure Okta Verify options |
| 3. Inform & nudge users | Remind laggards to finish setting up WHfB. |
| Okta docs → Add Device Assurance policies |
| 4. Track WHfB adoption | Ensure the MDM policy is taking effect. |
| Microsoft docs → Intune device configuration assignment status |
| 5. Enforce UV in Okta | Enforce passwordless, phishing-resistant sign-in. |
| Okta docs → Biometric user verification in authentication policies |
End-user experience timeline
-
Day 0: User installs Okta Verify and enrolls FastPass. They may optionally skip enabling Windows Hello since it is not required
-
During grace period: User sees a recurring message in the Okta sign-in widget informing them to finish setting up Windows Hello. They will see this message for any sign-in if Okta Verify does not detect that Windows Hello is set up.
- After deadline: If WHfB is not configured, sign-in is denied. The user will see a message indicating that access was denied because Windows Hello setup has not been completed.
Tips & Summary
-
Push WHfB silently with MDM.
-
Launch Okta Verify + FastPass immediately with UV set to Preferred.
-
Use Device Assurance to set a deadline and communicate expectations.
-
Monitor adoption in MDM dashboards.
-
Enforce user verification once coverage is high.
Following this phased approach lets a workforce enjoy passwordless, phishing-resistant logins right away—without waiting for every Windows user to finish Windows Hello enrollment.
