This article explains how to enforce a PIN when logging in with a FIDO2 (WebAuthn) Security Key.
- Okta Identity Engine (OIE)
- Multi-Factor Authentication (MFA
- YubiKey Security Keys
- FIDO2 / WebauthN
- Authentication Policy Rules
The implementation of a PIN on a FIDO2 Security Key (Like Yubikeys) is governed by User Verification settings. In this context, User Verification refers to a method, such as a PIN or biometrics, that proves the person using the security key is the authorized user.
To enforce PIN use when logging in with a FIDO2 Security Key:
- The FIDO2 (WebAuthn) Security Key Authenticator must be updated in the Okta Admin Console. These settings determine whether users are prompted to configure a PIN (or biometric) during enrollment.
- Authentication Policies must be configured to Require User Interaction.
Configure the FIDO2 Authenticator
For the most current instructions on working with the FIDO2 (WebAuthn) Authenticator, refer to the Okta Administrator Manual Chapter - Configure the FIDO2 (WebAuthn) authenticator.
- If this is a new configuration of the FIDO2 (WebAuthn ) Authenticator, see section Add the FIDO2 (WebAuthn) authenticator.
- If the FIDO2 (WebAuthn ) Authenticator has already been added and must be edited, see section Edit or delete the FIDO2 (WebAuthn) authenticator.
Configure the Additional Assurance > User Verification setting to be Required.
With the Authenticator properly configured, end-users will be prompted and required to set up a user verification method upon enrollment, which may then be used to satisfy Authentication Policy constraints.
Configuring Authentication Policies to enforce PIN
Authentication policies in Okta determine when a user must verify their identity using a PIN or biometric during sign-in. Authentication Policy rules must be configured to Require User Interaction, with the option Require device passcode or biometric user verification enabled, as discussed in the manual chapter: Biometric user verification in authentication policies.
