Okta and YubiKeys


Overview

Okta offers and supports many authentication factors including factors that are phishing-resistant forms of authentication: FIDO2/WebAuthn and smart cards (PIV/CAC). Yubico supports both of these factors on YubiKeys. Within the scope of phishing-resistant authentication, we will be covering these two factors and how they can be set up and configured within an Okta tenant to work with YubiKeys.

Read the following links for all supported MFA authentication options within Okta:

 

FIDO2/WebAuthn

FIDO2/WebAuthn authentication configuration in an Okta tenant is a possession factor type and follows the FIDO2 Web Authentication standards. This factor is available in both Okta Classic and OIE. YubiKeys can be enrolled as a FIDO2/WebAuthn authentication factor in an Okta tenant.

 

Read more about YubiKeys and FIDO2/WebAuthn authentication here: FIDO2 passwordless authentication.

 

Prerequisites

In this section we will cover what is required to implement and configure your Okta tenant to support FIDO2/WebAuthn authentication:

  • Add FIDO2/WebAuthn as an authentication factor.
  • Have a security key (YubiKey) to enroll as the FIDO2/WebAuthn factor.
  • User Verification (UV) settings:
    • User Verification (UV) is a FIDO2 call where the authenticator verifies that the user is authorized to use the authenticator, and signals to the Relying Party (RP) whether user verification was successful. To read more about UV click here.
    • For Okta Classic, UV is defaulted to “Preferred” and cannot be configured.
    • For OIE, UV is a configurable setting with the following options so consideration will be needed to be given for your environment:
      • Discouraged: Users are not prompted for UV when they enroll in a FIDO2 (WebAuthn) authenticator. This is the default setting to provide a consistent experience for end users signing in from various operating systems.
      • Preferred: Users are prompted for UV if they enroll in a FIDO2 (WebAuthn) authenticator that supports it.
      • Required: Users are always prompted for UV when they enroll in a FIDO2 (WebAuthn) authenticator. The authenticator that the user is enrolling in must support User Verification. Use this setting for authenticators that require User Verification, like FIDO2 (WebAuthn) with Touch ID.
  • Backup authentication factors such as a backup YubiKey.

 

Implementation guides

The following are implementation guides for both Okta Classic and OIE that will help you with your FIDO2/WebAuthn implementation:

Once you have configured your Okta tenant to support FIDO2/WebAuthn factors, end-users will be able to enroll their security keys (YubiKeys). It is recommended that your end-users have an additional backup YubiKey configured for their account in the event of a lost key.

Okta Enrollment and Authentication policies can and should be configured to allow for FIDO2/WebAuthn authentication. These policies can either “Require” or make “Optional” FIDO2/WebAuthn factor authentication. Additionally, Okta administrators can elect to enroll on behalf-of (EOB) an end-user, which requires a manual enrollment process per user.

The configuration of these policies will vary based on your identity and authentication requirements. Here are some examples and suggestions of how to ensure you are implementing phishing-resistant authentication at every level of access within your Okta tenant:

  • Okta portal (Dashboard) authentication
    • Enrollment policies:
      • Require end-users, after satisfying another factor, to enroll a FIDO2/WebAuthn factor, i.e., their YubiKey.
    • Authentication policies (OIE only):
      • Require FIDO2/WebAuthn authentication to access your company’s Okta dashboard.
    • Sign-on policies (Okta Classic):
      • Set-up Factor Sequencing to require FIDO2/WebAuthn authentication. This can target specific groups or Everyone.
  • Application level authentication (OIE)
    • Require FIDO2/WebAuthn authentication to access your company’s applications/resources (may vary based on level of application sensitivity).
  • Application level MFA (Classic)
  • Okta administrator portal authentication (OIE)
    • Require FIDO2/WebAuthn) authentication for administrators to access the Okta administrator console. This is a separate application within your Okta tenant, and authentication policies can be configured to ensure phishing-resistant authentication is the only mechanism for access. Note: In Okta Classic, this would be an App-level Sign-on policy.

 

User experience

When an end-user walks through the enrollment process for a FIDO2/WebAuthn security key (YubiKey), they are prompted to allow Okta to collect information about the specific security key they wish to enroll. This results in each FIDO2/WebAuthn authenticator appearing in their user Settings under Security Methods and will be listed by the Name of authenticator. If an end-user enrolls a YubiKey security key, it will be listed as, for example,YubiKey 5 with NFC. This is because Okta pulls data from the FIDO Alliance Metadata Service that allows it to identify the information of the security key (YubiKey) being enrolled.

Note: At this time, Okta does not support discoverable credentials for FIDO2/WebAuthn , so end-users will need to supply their username when logging into an Okta tenant.



Smart cards (PIV/CAC)

The Smart Card feature in Okta allows end-users to use smart cards with a x.509 compliant digital certificate, such as a PIV/CAC card, as a primary authentication factor to sign into an Okta tenant. A YubiKey can be configured as a PIV-derived smart card and utilized for this authentication factor within an Okta tenant.

Read more about how to set up YubiKeys for smart cards here: YubiKey Smart Card Deployment Guide.

 

Prerequisites

In this section we will cover what is required to implement and configure your Okta tenant to support smart card authentication:

  • Add a Smart Card IdP to your Okta tenant
  • PKI infrastructure
  • A YubiKey configured for smart card authentication.

 

Implementation guides

The following are implementation guides for both Okta Classic and OIE that will help you with your smart card implementation:

Once you have configured your Okta tenant to support smart card authentication and configured YubiKeys to act as PIV-derived smart cards, end-users will be able to authenticate with their YubiKeys using smart card authentication.

OIE Only: Okta Enrollment and Authentication policies in your Okta tenant can and should be configured to either “Require” or make smart card factor authentication “Optional”. This can be done by enabling Smart Card IdP Authenticator as a factor in your tenant.

Note: Smart Card IdP Authenticator is an Early Access feature in OIE. Refer to the following Okta documentation for more information: Smart Card IdP Authenticator.

The configuration of these policies will vary based on your identity and authentication requirements. Here are some examples and suggestions:

  • Okta portal (Dashboard) authentication
    • Enrollment policies:
      • Require end-users, after satisfying another factor, to enroll their YubiKey as a Smart Card IdP authenticator.
    • Authentication policies:
      • Require smart card authentication to access your company’s Okta dashboard.
  • Application level authentication
    • Require smart card authentication to access your company’s applications/resources (may vary based on level of application sensitivity).
  • Okta administrator portal authentication
    • Require smart card authentication for administrators to access the Okta administrator console.

 

User experience

When an end-user wants to authenticate with their smart card credentials to their Okta tenant, they will first need to plug in their smart card to the requisite device. If they are using YubiKeys as a PIV-derived smart card, they will plug it into their device in a similar manner. After which the following steps will occur:

  1. Using a supported browser, go to the Okta sign-in page for their Okta org and click Sign-in with PIV/CAC Card.
  2. When presented with the PIV/CAC card dialog box, ensure your smart card (or PIV-derived YubiKey is properly connected to your device).
  3. In the certificate picker dialog box, choose the requisite certificate.
  4. Enter the PIN associated with the certificate.
  5. You should be authenticated into your Okta dashboard.

Note: If your OIE tenant has Smart Card IdP Authenticator enabled and is set to “Required” or “Optional” for your end-users, they may be prompted to enroll their smart card as a factor after satisfying an initial factor requirement. If they have already enrolled their smart card as an IdP authenticator, they can click on the Sign-in with PIV/CAC Card on the Okta sign-in page.

 

Supplemental guides

One-time password and YubiKeys

For those considering OTP (one-time password), YubiKeys are supported within Okta and can be used as this factor. Refer to the following documentation for guidance on how to configure your Okta tenant:

Note: “YubiKey” is equated to the OTP authenticator in the Okta platform and should not be confused with FIDO2/WebAuthn security keys.

 

 

Additional supplemental guides

The following are Okta and Yubico supplemental guides that may be useful when working with Okta and YubiKeys:

Okta Identity Engine (OIE)

Okta Classic

YubiKey