<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
WebAuthn Limitations
Oct 15, 2025
Okta Classic Engine
Multi-Factor Authentication
Okta Identity Engine
Overview

The WebAuthn Factor is a browser-based authentication method. Its behavior and limitations depend on the browser used and the authentication flow.

This article will show some of the scenarios where a user will not be able to use the WebAuthn factor fully.

Applies To
  • Multi-Factor Authentication (MFA)
  • WebAuthn
Solution

Depending on the scenario used for authentication, the WebAuthn factor can be limited or not supported. Here is a list of known limitations for that factor:

  • Okta does not support embedded web browsers for WebAuthn-based user verification.
  • Windows 10, built before 1903, does not have FIDO2 certification for Windows Hello because it uses a deprecated implementation of WebAuthn that Okta does not support.
  • On Firefox, WebAuthn does not support CTAP2 with PIN.
  • Clearing the Passwords and other sign-in data, Cookies, and other site data browser settings removes the WebAuthn platform authenticator from the Chrome profile. The Okta enrollment is invalidated and is no longer associated with a valid authenticator instance.
  • On Chrome, resetting Apple Touch ID invalidates existing Touch ID WebAuthn enrollments.
  • On Chrome, clearing the Passwords and other sign-in data, Cookies, and other site data browser settings removes the WebAuthn platform authenticator from the Chrome profile. The Okta enrollment is invalidated and is no longer associated with a valid authenticator instance.
  • Okta supports Apple's Touch ID in Safari on Intel-based Apple Macintosh computers running macOS Big Sur and later. However, the FIDO2 (WebAuthn) factor may not function correctly using the Safari browser on Apple Macintosh computers running the Apple M1 processor.
  • On Safari, WebAuthn does not support CTAP2 with PIN.
  • Wiping a security key invalidates existing WebAuthn enrollments in Okta from that security key device and platform authenticators such as Touch ID and Windows Hello.
  • WebAuthn with TouchID is not supported on Firefox for MacOS
  • FIDO2 (WebAuthn) authenticator enrollments, such as Touch ID, are attached to a single browser profile on a single device. If users want to use a FIDO2 (WebAuthn) authenticator on multiple browsers or devices, advise them to create a new FIDO2 (WebAuthn) enrollment in each browser and on each device. If they have multiple Google account profiles in the Google Chrome browser, they must also create a new FIDO2 (WebAuthn) enrollment for each of those Google account profiles.
  • Each user can configure a maximum of 10 WebAuthn enrollments.   


Related References

 

Recommended content

Still looking for help?
Loading
WebAuthn Limitations