Okta Verify with TOTP even when user verification is required, is considered only as a Possession factor and alone doesn’t satisfy 2FA requirements. This adds a Biometric component to the authenticator.įor example, if the user is using Okta Verify on an iPhone and user verification is required, a FaceID check is performed before the user is allowed to use Okta Verify to answer a challenge. ![]() When user verification is required, the user must enable biometrics during the factor enrollment. Thus, to configure two-factor authentication for passwordless sign-in, you need either Okta Verify with Push Notification or WebAuthn with User verification set to Required. And therefore, the user is not prompted for any more factor types. However, when biometrics are enabled on Okta Verify or WebAuthn, either of them alone satisfies both the Possession and Biometric factor type requirements for 2FA. While there are several possession-based factors, options for biometric factors only include Okta Verify and WebAuthn (FIDO2). There are two ways you can set up two-factor authentication for passwordless sign-in experience: 1. Hence, the user needs one possession-based and one biometric factor to sign in without a password. Therefore, knowledge-based authenticators can’t be used to satisfy MFA requirements for passwordless sign-in. However, Security Question can only be used for MFA if the user has an enrolled password. Knowledge-based authenticators include Password and Security Question. ![]() These factors can be hardware-protected, device bound, or phishing-resistant. Knowledge-based: Something the user knows The Any 2 factor types option requires the user to authenticate with two authenticators from two of the following factor types: The set of authenticators that is available to a user for sign-on is determined by the intersection of Authenticator Enrollment policy and Authentication policy.Īuthentication policy provides different factor options, but for passwordless multifactor authentication, only the Any 2 factor types option can be used. Available authenticators for passwordless users It provides you two ways of setting two-factor authentication for your passwordless sign-in flows. ![]() This topic explains what factors can work for MFA in a passwordless sign-in.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |