This article discusses a known limitation with Touch ID and Okta's Authenticator Groups. Touch ID and other implementations of the FIDO2 Web Authentication (WebAuthn) standard, which do not include an Authenticator Attestation Global Unique Identifier (AAGUID), will encounter issues with Okta's Authenticator Groups. 

• Okta Identity Engine (OIE)
• Fido2 WebAuthn
• Authenticator Groups

The allow list for FIDO2 WebAuthn Authenticators works by filtering the AAGUID of the FIDO2 WebAuthn authenticator during attestation. Apple's Touch ID is an example of an implementation that does not provide an attestation statement or sends all zeros for the AAGUID. Therefore, no AAGUID filtering can be applied to an Allow List for Touch ID or any authenticator that fails to include the identifying AAGUID.

If Touch ID is required, a user must not be assigned to an Authenticator Group in their enrollment policy. For further information, please see the manual chapter on Deleting an authenticator group from an authentication enrollment policy.

Alternatively, disabling the Authenticator Groups will allow all FIDO2 WebAuthn Authenticators for those with FIDO2 WebAuthn enabled in their Enrollment Policies.

Related References

• Configure the FIDO2 (WebAuthn) authenticator
• Delete an authenticator group from an authentication enrollment policy
• FIDO TechNotes: The Truth about Attestation