<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5WR00001EQbrT0ATOkta Classic EngineFastPassAnswered2026-01-30T19:49:07.000Z2026-01-30T18:51:19.000Z2026-01-30T19:49:07.000Z

ErinK.53801 (Customer) asked a question.

January 30, 2026 at 6:51 PM
FastPass Enrollment/Device Registration - Keys and Cert Inquiry (Non-MDM Workflow)

We are enrolling users in FastPass and I am trying to obtain some basic information with no luck in Okta Docs. Key note - We are NOT including our MDM in the workflow at this time.

With that being said I am looking for:

  1. Cryptographic Key Pair: (a) When is the keypair created - Is it when the user enrolls in the desktop version of Okta Verify or somewhere else? (b) Without using an MDM solution, because I was told it differs, where are the keys (private and public) stored/managed?
  2. Device Certificate Generation: Without using MDM and without having it use Okta as a CA to push it's certificate to the device/laptop, when someone registers/enrolls in FastPass/Okta Verify Desktop application, does Okta push an Okta originated certificate to the device to use as another validation/attestation check or no? I have read it does not but Okta support has told us it does but we are unsure of where to find it, if we can, to confirm.

 

If anyone has links to show details I would appreciate that as well. These seem very basic but I cannot find documentation for when MDM is not involved.

 

Thank you.

  • 1 answer
  • 141 views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @ErinK.53801 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    The Okta FastPass Technical Whitepaper might help with this. From I'm seeing here:

    "Key pairs are generated on the device, and public keys are sent to the

    Okta service." and is created during the "add account" stage.  

    "...the private keys are stored in a device’s hardware key store if

    available. Some examples of this include the Trusted Platform Module (TPM)

    or Secure Enclave (iOS). The private keys never leave the hardware keystore

    and cannot be backed up or exported to other devices. If the device does

    not have a hardware key store, the private keys are stored in a software

    key store."

     

    That being said, I recommend going through the "download the whitepaper" form to make sure you have the latest version of the document, as I've seen older versions floating around the internet. 

     

    As for the certificates, as far as I've been able to confirm, they are only used to satisfy the "Managed" condition. Since you aren't using an MDM, your devices are only "Registered," and Okta uses Key Attestation instead of a certificate. Info implied from Management Attestation FAQ, rather than explicitly mentioned. 

     

     

    I recommend reaching out to your Okta Account Executive to discuss the matter. They'll be able to check with the internal team and give you a definitive answer on this.  

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Just released: More Okta Community badges just added

    Expand Post

Loading
FastPass Enrollment/Device Registration - Keys and Cert Inquiry (Non-MDM Workflow)