FIDO2 (WebAuthn) login fails with system log error:

AllowList is setup that does not allow this factor's aaguid.

• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)
• FIDO2 (WebAuthn) / Security Keys
• YubiKey 5 NFC (and other hardware security keys)

This issue occurs when the FIDO2 (WebAuthn) authenticator is configured with an AllowList (AAGUID restriction) that explicitly defines which security key models are permitted.

If a user attempts to use a security key whose AAGUID (Authenticator Attestation GUID) is not present in this list, Okta rejects the authentication attempt. This is common when users acquire newer key models (for example, newer firmware versions of YubiKeys) that have different AAGUIDs than older models already on the allowlist.

To resolve this issue, the missing AAGUID must be added to the FIDO2 (WebAuthn) authenticator configuration.

1. Identify the Missing AAGUID.

2. Add the AAGUID to the AllowList:

   1. In the Okta Admin Console, go to Security > Authenticators.

   2. Locate the FIDO2 (WebAuthn) authenticator line.

   3. Click Actions > Edit.

   4. Scroll to the AAGUID configuration section (often labeled "Allowed AAGUIDs").

   5. Click Add Authenticator (or the relevant Add button).

   6. Enter the AAGUID retrieved from the logs.

   7. (Optional) Enter a description for the key (for example, "YubiKey 5 NFC - Firmware 5.7").

   8. Click Save.

3. Verify:

   • Ask the user to retry the login. It should succeed immediately without requiring re-enrollment.