Christina.J (Customer Support Online Community and Social Care) asked a question.
Our first Ask Me Anything (AMA) of 2026 is happening soon! On January 20, 2026, our AMA session will focus on how to reinforce your security posture by stronger phishing-resistant authentication factors across your entire user base. We understand that rolling out advanced security controls can be challenging, which is why our Okta product expert, John Cokkinias, will be available to help with any questions you may have, from general insights on deploying, managing, or scaling stronger authentication MFA.
How can I participate?
Submit your questions by clicking the ‘Answer’ button below anytime between now and Monday, January 19. Then join us in this thread on Tuesday, January 20, from 9:00 to 11:00 a.m. PST, as our Okta product expert will post detailed, written responses to all submitted questions.
Need ideas on what to ask?
- How to roll out adaptive MFA
- What are the options of policies and factors to defend against phishing attacks
- What's on the roadmap and how can feedback help shape it
- Real-world use cases and the value other customers have seen
These are just a few examples. We welcome your unique use cases, challenges, or curiosity, no matter how big or small.
Want to learn more about this AMA session? Check out this blog post ---> https://support.okta.com/help/s/blog/a67WR000009LnmwYAC/january-20-ask-me-anything-adoption-of-stronger-authentication-mfa?language=en_US
We want to hear your questions. Drop them in now and get expert insight!
With the rise of Ai-powered 'adversary-in-the-middle' attacks, how is Okta prioritizing the rollout of FastPass versus hardware-bound keys like YubiKeys?
For authentication to Okta systems, phishing resistant authentication is required. FastPass is required for most LOB applications to ensure managed and compliant devices. FIDO2 security keys are issued to ensure that new enrollments are protected by the same phishing resistant authentication.
We transitioned from Classic to OIE beginning of 2025. We are now planning to migrate to Okta FastPass. We observed that by enabling Okta FastPass as MFA factor disrupt the existing enrollment flow for Okta verify Mobile. A new screen is introduced after click on Okta Verify asking the users to download on workstation and enroll. We are trying to see if it's possible to show the new screen only for group of users who are part of the Phase as we want to push to end users in phases by adding more users to the scope in each phase. This has prevented us from opening Okta FastPass in our org.
Today, the FastPass setting is an org wide setting, and as you have noticed the enrollment screen prefers a workstation setup over mobile. You cannot change this experience to target specific groups/users. Stay tuned to the coming roadmap sessions as there are some plans to address this in the future.
What are the options for passwordless authentication with Okta Verify for Windows?
https://help.okta.com/oie/en-us/content/topics/identity-engine/password-optional/password-optional-disabled.htm
Passwordless authentication with FastPass would involve removing the requirement for the password from the global session policy and enabling the authentication policy to all access with "Any 2 factors".
We're also curious about staged rollouts of Okta FastPass. Would like to request the ability to 'Show the "Sign in with Okta FastPass" button' for specific groups instead of just at the 'Security > Authenticators > Okta Verify' level to avoid having users inadvertently set it up, or getting confused at the sign in page, before their phase has been rolled out.
For a staged rollout, I would recommend not enabling the "Sign In with FastPass" button. You can deploy Okta Verify to your device and have the pilot users enroll. You will modify the authentication policies to require "Registered" devices which will cause the login page to try and authenticate with FastPass if Okta Verify is installed. Users without Okta Verify will continue to authenticate as normal.
If a user’s primary phishing-resistant device is lost or broken, how do we design a fallback policy that remains secure without creating a 'weak link' that an attacker could exploit?
The recommended option would be to require a phishing resistant authenticator in order to enroll another. For that scenario, admins can pre-enroll a FIDO2 key for all users so that they have a backup phishing resistant authenticator to use in the event their FastPass device is lost.
https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/onboard-with-preenrolled-yubikey.htm