<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
FIDO2 (WebAuthn) Authenticator Has to Be Enrolled in Every Browser
Nov 6, 2025
Okta Classic Engine
Multi-Factor Authentication
Okta Identity Engine
Overview

This article clarifies the enrollment requirements for the FIDO2 (WebAuthn) authenticator factor.

Applies To
  • FIDO2 (WebAuthn)
  • Multi-Factor Authentication (MFA)
Cause

FIDO2 (WebAuthn) authenticator enrollments, such as Touch ID, are attached to a single browser profile on a single device.

Solution

  • To use a FIDO2 (WebAuthn) authenticator on multiple browsers or devices, a new FIDO2 (WebAuthn) enrollment must be created in each browser and on each device.

  • If multiple Google account profiles are used in the Google Chrome browser, a new FIDO2 (WebAuthn) enrollment must also be created for each Google account profile.

  • The FIDO2 (WebAuthn) authenticator only grants access via the URL it was enrolled on. For example, an authenticator enrolled on <domain>.okta.com only allows access through <domain>.okta.com, and an authenticator enrolled on a custom URL only allows access through that custom URL.

  • To allow access to the organization through both a standard Okta URL and a custom URL, the FIDO2 (WebAuthn) authenticator must be enrolled separately for each URL.

 

Related References

Recommended content

Still looking for help?
Loading
FIDO2 (WebAuthn) Authenticator Has to Be Enrolled in Every Browser