The following article explains a behavior that occurs when both FastPass and Virtual SmartCards are used for authentication and when invoking FastPass, a SmartCard verification prompt is returned repeatedly.
- Okta Identity Engine (OIE)
- FastPass
- Authentication
- SmartCard
- PIV card
- Windows
- macOS
Okta Verify tries to access certificates protected behind virtual SmartCard prompts, triggering the launch of these verifications because they share the same Certificate Authority (CA).
According to Configure management attestation for desktop devices, for a device to become managed:
- A certificate must be pushed to the target desktop device.
- Okta will determine if a management certificate is present on the target device.
- Okta Verify will search and access a target certificate and confirm its presence.
- During authentication, Okta Verify reports its existence back to Okta.
Virtual SmartCards also require certificates on the machine in the store or keychain that are used during authentication.
- If a device has multiple certificates from the same certificate authority, Okta Verify will check each one to find a match for the CA.
- This includes certificates used by virtual SmartCards.
- The SmartCards themselves protect Virtual SmartCard certificates.
- A SmartCard verification prompt appears because it is required before Okta can access and read these certificates.
NOTE: If Okta Verify is restarted, SmartCard verification prompts can appear outside authentication contexts where Okta Verify FastPass is invoked, as management certificates are also checked upon launch.
Additionally, if multiple certificates for virtual SmartCards are present on the device, multiple SmartCard verification prompts may be returned since Okta Verify will try to access all of them.
Do not use the same certificate for issuing certificates to SmartCards and for Okta Device Management to prevent SmartCards from being prompted during every Okta Verify for Desktop authentication.
Related References
