Okta FastPass Logs as SIGNED_NONCE in the System Log
Last Updated:
Overview
When users enroll in or authenticate with Okta FastPass, the System Log records the factor as SIGNED_NONCE. This occurs because the underlying authentication mechanism relies entirely on a signed cryptographic nonce to prove device identity. During the enrollment process or authentication via the Okta Verify mobile application or desktop device, administrators observe this specific factor logged in the extended System Log events.
Applies To
- Multi-factor Authentication (MFA)
- System log
- Okta Identity Engine (OIE)
- Okta FastPass
Solution
Why does Okta FastPass log as SIGNED_NONCE?
When a user attempts to log in using Okta FastPass, Okta generates a cryptographic nonce (a number used once). This unique, random string prevents replay attacks. Okta Verify uses this nonce and signs it with a private cryptographic key securely stored on the device, such as the Apple Secure Enclave or Windows Trusted Platform Module (TPM). Okta receives the signed nonce, verifies it against the public key the user registered during enrollment, and grants access if the keys match. Because the underlying authentication mechanism relies entirely on a signed nonce to prove device identity, the backend code logs the factor as SIGNED_NONCE.
How does Okta Identity Engine handle Okta Verify enrollment?
When moving to Okta Identity Engine (OIE), Okta automatically enrolls users in FastPass when they enroll in Okta Verify. Regardless of which verification option the administrator selects, Okta automatically enrolls end users in all available options. These options appear in the Account Details page of the application as Authentication Code, Push Notification, and This Device. Okta automatically enrolls end users in all methods, while allowing administrators to control which methods display during authentication, to simplify the end-user experience in case administrators add or remove methods later.
Review the extended Activate factor for user System Log event during the enrollment process to observe the specific factor setup reason.Outcome > Reason User set up SIGNED_NONCE factor
Review the extended System Log event for a user's MFA authentication to observe the Okta Verify factor logged as SIGNED_NONCE.
Examine the debug data within the extended System Log event to locate the specific SIGNED_NONCE factor designation.System > DebugContext > DebugData > Factor SIGNED_NONCE
