Thank you to everyone who participated in our Ask Me Anything on the Adoption of Stronger Multi-Factor Authentication (MFA)! For those who couldn’t join, we’ve put together the top five highlights from the session. You can also dive into the full discussion to explore detailed answers from our product expert by reading the complete discussion thread.

Here are the key takeaways:

Deploying MFA for non-domained joined air-gapped Windows PC’s

If you’re curious about whether Okta Verify for Windows with devices will support non-domain-joined, air-gapped Windows, good news: Our expert clarified that if air-gapped devices have internet access to connect to Okta, Okta FastPass may be a great option for this specific use case. There aren’t any domain requirements for installing or enrolling in FastPass.

Designing a fallback policy when a user’s primary phishing-resistance device is lost, broken, or stolen

The recommended option is to require a phishing-resistant authenticator to enroll another device. In this specific scenario, admins can pre-enroll a FID02 key for all users so they have a backup phishing resistant authenticator to use in the event their FastPass device is lost, broken, or stolen. Learn more in this product documentation. 

Options for passwordless authentication with Okta Verify for Windows

Passwordless authentication with FastPass involves removing the requirement for the password from the global session policy and enabling the authentication policy to access with “Any 2 factors”. More details can be found here.

Report for users enrolled into Okta FastPass on PC’s vs users enrolled on mobile devices

You can view the devices per platform and can filter by Windows, macOS, Android, and IOS.

AI-powered adversary attacks and Okta FastPass

A member wanted more clarification on the rise of AI-powered adversary-in-the-middle' attacks, and how Okta prioritizes the rollout of FastPass versus hardware-bound keys like YubiKeys. Great question! For authentication to Okta systems, phishing resistant authentication is required. FastPass is required for most LOB applications to ensure managed and compliant devices. FIDO2 security keys are issued to ensure the new enrollments are protected by the same phishing resistant authentication.

As we continue our AMA program, we’re excited to bring you more topics and connect you with our product experts to discuss the issues that matter most to your organization. Stay tuned for upcoming sessions—we look forward to seeing you!