Okta generates an error during the enrollment of an additional authenticator because the requirement for a phishing-resistant authenticator is active. Resolving this issue requires either enrolling the new factor on a device that already has a phishing-resistant method or disabling the restrictive feature in the Admin Console. Users encounter a failure when attempting to add a new security method.

To continue, you'll need an additional security method to verify your identity. 1. Switch to your other device that already has Okta Verify with Okta FastPass set up. 2. Set up an additional security method. 3. Return here and try again with your new security method.

• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)
• Okta Verify FastPass
• Phishing Resistant Authenticators

The error occurs because the Require phishing-resistant authenticator to enroll additional authenticators feature is enabled in the Okta Admin Dashboard under Settings > Features. Okta recognizes two forms of phishing-resistant authenticators: Okta Verify FastPass and specific WebAuthn factors. This issue commonly occurs when a user enrolls in Okta Verify FastPass on one device and then attempts to enroll another factor on another device. Because Okta Verify Fastpass is a device-bound authenticator, it cannot be used for authentication on a different device, preventing the enrollment of additional authenticators.

How is the authenticator enrollment error resolved?

Perform one of the following methods to resolve the enrollment error.

Choose one of the following options to enroll an additional authenticator using an active phishing-resistant factor:

• Authenticate with Okta FastPass to enroll another authenticator, such as FIDO2 (WebAuthn) or a hardware key, on the same device.
• Use the Add account to another device option in the Okta Verify application to enroll additional devices.
• Connect a previously enrolled YubiKey that supports FIDO2 into any device to enroll in FIDO2 (WebAuthn) or Okta FastPass on that specific device.
• Use a device-bound authenticator, such as FIDO2 (WebAuthn), to enroll in Okta FastPass on the same device, and then use the Add account to another device option in Okta Verify to enroll additional devices.

Follow these steps to enroll an additional factor from the dashboard using a device already running Okta Verify FastPass:

1. Navigate to the Settings section of the End-User Okta Dashboard.
2. Locate the Security Methods section.
3. Choose the option to set up additional factors.
4. Configure a phishing-resistant factor that functions across multiple devices, such as WebAuthn.

Follow these steps to disable the phishing-resistant authenticator requirement:

1. Navigate to the Okta Admin Console.
2. Go to Settings, then Features.
3. Clear the Require phishing-resistant authenticator to enroll additional authenticators feature.

Disabling this feature removes the phishing-resistant restriction when Okta challenges users for new enrollments.