Okta FastPass: Authorized at FedRAMP High and supports Authentication Assurance Level 3 (AAL3)

Updated: February 7, 2025

“Nothing happens until someone tries to log in to something”

- Ancient Authentication Proverb

For as long as we can remember, users have had to choose between strong, secure authentication and a great, friction-free user experience. Now, you don’t have to. Okta’s FastPass is a first-of-its-kind, robust, secure-by-design authentication mechanism possessing the “ease of use” our forefathers could only dream about. While U.S. government agencies have long relied on smartcards (CAC and PIV) to log in to their applications, this infrastructure has become increasingly difficult to support in the modern world of cloud computing and mobile device access.

However, it’s not only about “strong authentication” or “top-notch user experiences.” Staying ahead of attackers requires a dynamic security model built directly into the authentication flow. Things like Okta’s Identity Threat Protection will, over time, change the game in modern authentication.

Why FastPass?

By securing at the first point of authentication and continuing along the lifespan of an active single sign-on (SSO) session – FastPass can mitigate the impact of phishing attacks, session theft, and unauthorized local activity. Enabling passwordless, cryptographically secure access to trusted applications only, FastPass provides an intuitive user experience consistently across major platforms and devices, managed or unmanaged. FastPass strengthens your organization’s Zero Trust security with optional silent context evaluations of browsers and devices at every app login and signals from your broader security solution ecosystem. 

Designed for defense-in-depth, FastPass enables phishing-resistant authentication that continues protection long after the initial access request. By leveraging passwordless, phishing-resistant flows and device posture checks, FastPass can help achieve secure access to U.S. government resources while minimizing end-user friction.

With Okta FastPass, U.S. government agencies can:

• Enable phishing-resistant authentication: Mitigate the most common phishing attacks for managed and unmanaged devices on all supported platforms.
• Evaluate device context: Verify the device and browser used during authentication as signals from first-party and third-party sources are collected to make more informed authentication and authorization decisions.
• Allow passwordless logins: Offer passwordless authentication to all FastPass-protected resources, improving employee experience and reducing friction due to multiple passwords (and password resets) and out-of-band factors like push, time-based one-time passwords, and SMS.

With its comprehensive features and focus on security, Okta FastPass is the ideal solution for agencies aiming to balance security with an improved user experience, meeting the needs of today's modern workforce.

Third-party phishing-resistance assessment of Okta FastPass

U.S. government agencies turn to NIST for guidance on which authenticators meet the security and compliance requirements for use within the government workforce. The next version of NIST 800-63B (v4), currently in draft, extends the definition of phishing resistance to include more than smartcards or hardware security keys (e.g., YubiKeys). With the passage of OMB M-22-09 and the draft guidance around NIST 800-63 v4, the U.S. government has a clear path forward.

We’re excited to announce that Okta FastPass is now part of our authorization boundaries for FedRAMP High and FedRAMP Moderate. FastPass also meets the NIST 800-63B Authentication Assurance Level 2 (AAL2) and AAL3. As such, agencies can now offer users a choice of phishing-resistant authenticators that best suit their needs – including FastPass – resulting in greater accessibility and ease of use for their workforce.

FastPass is in line with the NIST guidelines, including:

• Multi-factor authentication (MFA): Attests possession and inherence or knowledge as a second factor
  • Phishing-resistant authentication: Leverages the verifier name (origin) binding mechanisms to meet phishing-resistant requirements. This is a FedRAMP Moderate and above requirement for U.S. agencies under NIST SP 800-53rev5.
• Cryptographic authenticator: A device-bound authenticator only used to authenticate users on the same device via hardware-backed TPM stores for all cryptographic functions

The FastPass journey begins with an enrollment (or adding an account) process on the Okta Verify app of your device. FastPass also facilitates device posture checks and device context re-evaluation, ensuring the security of devices in use, whether managed or unmanaged.

Customer responsibilities to configure and leverage FastPass

Our effort includes FastPass’ FedRAMP High authorization and an attestation from our FedRAMP Third Party Assessment Organization (3PAO) that FastPass is AAL2/AAL3 compliant when properly configured on supported devices. There is still a risk acceptance of using software phishing-resistant solutions like FastPass that our customers should be aware of. Customers are responsible for:

1. FIPS encryption of the disk)
2. Using FIPS-validated TPMs on their devices
3. Using FIPS-validated modules on their devices
4. Implementing FastPass in line with their mission requirements and use cases
   1. For example, for NIST 800-53 rev5 security control IA-2(6), customers MAY require a separate physical authenticator beyond FastPass to meet the requirement

The use of FIPS 140 validated cryptographic modules where encryption is required is a Federal mandate. This also applies to MFA tools. You can learn more about Okta FIPS compliance information and customer requirements for device platform cryptography and Okta Verify FIPS configuration.

Glossary of resources

While innovative MFA factors contribute to positive customer experiences, understanding and attesting to them can be complicated. For example, an agency can require proof of possession to be generated on a separate device. Below are several U.S. federal resources to help you get started:

• U.S. General Services Administration’s Phishing-Resistant Authenticator Playbook
• Supplement to NIST SP 800-63B, Digital Identity Guidelines: Authentication
• and Lifecycle Management
• NIST SP 800-63 rev 4, Digital Identity Guidelines
• U.S. Office of Management and Budget Memorandum (OMB M-22-09), Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
• National Security Agency’s Selecting Secure Multi-factor Authentication Solutions

You can also learn more about our Okta Security Identity Commitment by registering for our upcoming Okta Gov Identity Summit. In Breakout session D, “Okta and ATOs, they go together,” you’ll hear firsthand our fight against Identity attacks, from FastPass AAL3, our existing authorizations to security technical implementation guides (STIGs).