This article addresses a situation in which FastPass does not allow users to log in seamlessly to applications.

Users use FastPass but are then prompted to use another factor that satisfies the authentication policy rule constraints.

• Okta Identity Engine (OIE)
• Okta FastPass
• Multi-factor Authentication (MFA)

FastPass will meet the login requirements for applications with policies that require a phishing-resistant possession factor. However, for Okta FastPass to be phishing-resistant, it requires communication with a loopback server installed on the device at the time of the installation. Sometimes, user machines do not report FastPass as phishing-resistant, so they get into a login loop until a phishing-resistant factor is used.

One cause of this behavior is a browser plugin, such as an ad blocker, which blocks signals sent from FastPass and makes the factor less phishing-resistant.

Verification Steps

1. Disable the plugin(s), then have the user log in.
   • This example uses uBlock as the plugin.
2. Search the log for a relevant event by using the query:  eventType eq "user.authentication.auth_via_mfa".
3. Expand the details of a successful authentication event, expand the Target "Okta Verify", and check the MethodTypeUsed for "Use Okta FastPass" and MethodUsedVerifiedProperties for "PHISHING_RESISTANT".
    

• • If disabling the plugin works and the user(s) can log in fine just with FastPass, the user should either edit their block lists (there could be a block for localhost) or edit their allow lists.
  • For uBlock Origin, adding <subdomain>.okta.com to the Trusted Sites list helped solve the issue.
  • A Deep Dive Into Okta FastPass outlines how it works with a local loopback server and on iOS.

Instructions for Adding uBlock as Allowed

1. Open the settings in the uBlock Dashboard.

2. Go to the Trusted Sites tab.
3. Add the relevant URL (for example, <subdomain>.okta.com).
4. Click Apply Changes.

How to Recreate the Behavior with uBlock Origin

This behavior can be replicated with the uBlock Origin adblocker browser plugin in either Chrome or Firefox.

1. Open the settings in the uBlock Dashboard.

2. Click on Filter Lists.
3. Expand Privacy.
4. Select the checkbox for Block Outsider Intrusion into LAN list.
5. Click Apply Changes.

Instructions for Okta Verify Loop caused by Time Skew

The loop might be caused as well by the user's machine not being synchronized anymore with the main Server, and it will need to be resynchronized by following the steps highlighted below:

• Windows - Okta FastPass

1. 1. Open the Start menu and click Settings.
   2. Click Time & Language on the Settings dialog box.
   3. Scroll to the Related Settings section and click Additional date, time & regional settings.
   4. The Clock and Region screen in the Control Panel displays.
   5. Click Date and Time.
   6. Click the Internet Time tab on the Date and Time dialog box.
   7. Click Change settings.
   8. On the Internet Time Settings dialog box, check the Synchronize with an Internet Time server box.
   9. Select a Server from the drop-down list.
   10. If the server is not listed, type the name of an Internet time server. The time servers can be found on Microsoft’s site.
   11. Click Update now.

NOTE:

• When the blocking plugin is uBlock, either follow the guide above to add <subdomain>.okta.com to the allowlist or uncheck the Block Outsider Intrusion into LAN setting above to use FastPass successfully again.
• If using Safari, FastPass may need to be triggered by Chrome once. Safari/FastPass would work after that.