<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Okta Error Occurs During WebAuthn Enrollment on Android Devices

Okta Classic Engine
Devices and Mobility
Okta Identity Engine

Overview

End-users encounter an error when attempting to enroll Web Authentication (WebAuthn) or Fast Identity Online 2 (FIDO2) biometric factors on Android mobile devices when the authentication flow executes within an embedded application environment (WebView). This occurs because Android WebViews do not support the public key credential Application Programming Interfaces (APIs) required for WebAuthn. Resolve this issue by adjusting authentication policies for Android devices or routing users to native applications or standalone browsers. The following error message displays during the enrollment attempt:

 

The user agent does not support public key credentials

 

Error Message

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Multi-Factor Authentication (MFA)
  • Web Authentication (WebAuthn)
  • Fast Identity Online 2 (FIDO2)
  • Android Devices

Cause

While the Android operating system fully supports FIDO2, Client to Authenticator Protocol 2 (CTAP2), and platform biometrics natively, Google restricts WebAuthn APIs within Android WebViews (embedded in-app browsers) for security reasons. If an Android application attempts to trigger a web-based Multi-Factor Authentication (MFA) enrollment or authentication flow within an embedded browser wrapper rather than a standalone browser (such as Google Chrome), the user agent fails to process the public key credentials.

Solution

How is the biometric enrollment error resolved on Android devices?

 

Deploy Okta Verify, modify authentication policies, or isolate the authentication flow to standalone browsers to resolve the biometric enrollment error on Android devices.

  • Deploy Okta Verify/FastPass: Transition Android authentication policies to use Okta Verify. Because Okta Verify is a native application, it hooks directly into the native biometric architecture of Android and bypasses browser user agent limitations entirely.
  • Modify Authentication Policies: Configure policies to prevent Android mobile devices operating in web-only environments from entering mandatory WebAuthn or FIDO2 enrollment loops.
  • Isolate the Flow to Standalone Browsers: Ensure that the authentication flow performed on an Android mobile device forces the user out of embedded application WebViews and into a supported standalone browser (e.g., Google Chrome) to complete WebAuthn registration.
Loading
Okta Support - Okta Error Occurs During WebAuthn Enrollment on Android Devices