FIDO2 (WebAuthn) Security Key PIN Usage in Okta
Last Updated:
Overview
This article explains how to enforce a PIN when logging in with a FIDO2 (WebAuthn) Security Key.
Applies To
- Okta Identity Engine (OIE)
- Multi-Factor Authentication (MFA
- YubiKey Security Keys
- FIDO2 / WebauthN
- Authentication Policy Rules
Solution
The implementation of a PIN on a FIDO2 Security Key (Like Yubikeys) is governed by User Verification settings. In this context, User Verification refers to a method, such as a PIN or biometrics, that proves the person using the security key is the authorized user.
To enforce PIN use when logging in with a FIDO2 Security Key:
- The FIDO2 (WebAuthn) Security Key Authenticator must be updated in the Okta Admin Console. These settings determine whether users are prompted to configure a PIN (or biometric) during enrollment.
- Authentication Policies must be configured to Require User Interaction.
Configure the FIDO2 Authenticator
For the most current instructions on working with the FIDO2 (WebAuthn) Authenticator, refer to the Okta Administrator Manual Chapter - Configure the Passkeys (FIDO2 WebAuthn) authenticator.
- If this is a new configuration of the FIDO2 (WebAuthn ) Authenticator, see section Add the Passkeys (FIDO2 WebAuthn) authenticator.
- If the FIDO2 (WebAuthn ) Authenticator has already been added and must be edited, see section Edit or delete the Passkeys (FIDO2 WebAuthn) authenticator.
Configure the Additional Assurance > User Verification setting to be Required.
With the Authenticator properly configured, end-users will be prompted and required to set up a user verification method upon enrollment, which may then be used to satisfy Authentication Policy constraints.
Configuring Authentication Policies to enforce PIN
Authentication policies in Okta determine when a user must verify their identity using a PIN or biometric during sign-in. Authentication Policy rules must be configured to Require User Interaction, with the option Require device passcode or biometric user verification enabled, as discussed in the manual chapter: Biometric user verification in authentication policies.
