FastPass expands phishing resistance with device-bound passcode option
A strong access management solution must be built on a strong MFA foundation that includes multiple security factors that amplify one another to ensure a high security assurance level. From cyber insurance providers to standards-setting organisations such as NIST, security experts recommend implementing MFA wherever possible. And, when considering which factors to implement, biometrics stand out as a highly effective method for verifying a user’s identity, offering a considerably higher barrier for theft and spoofing compared to knowledge factors.
Combine biometrics with Okta FastPass, a Zero Trust, phishing-resistant authenticator that protects long after the initial access request, and you have the recipe for the safest way to authenticate and thwart Identity-based attacks.
But, while biometric authentication provides the best form of user verification by leveraging inherently unique human traits, some concerns may prevent an enterprise from adopting it. Effective implementation of biometrics relies on having the right software and hardware, which presents a cost barrier, especially to smaller businesses. Depending on the end user, there may be concerns about individual privacy (more on this later) and fears of what data a business is capturing and how they’ll use it. Regional regulations may also have a say in how personal data can be shared and stored. Last but not least, there are also accessibility concerns. Computing technology has vastly improved for users with disabilities, but the issue remains that biometric authentication’s design doesn’t fully consider users who can’t provide fingerprint or face recognition.
At Okta, we strive to provide the most secure login methods for all users. This is why we’ve enabled organizations to leverage FastPass with biometrics or a device-bound passcode to step up secure authentication in higher-risk scenarios.
Enforce user verification with biometrics or device-bound passcodes
FastPass is a phishing-resistant, passwordless authenticator under the Okta Verify application that helps mitigate the impact of phishing attacks, session theft, and unauthorised local activity. Designed for defense in depth, FastPass evaluates device context each time the user opens a protected resource and provides a user-friendly experience consistent across all major platforms and devices, managed or unmanaged. FastPass provides the safest way to authenticate, partly by integrating with device biometrics for a higher security assurance level with proof of possession and inherence. But now, users with devices that don’t support biometrics or who can’t or prefer not to use biometrics can provide a passcode alongside FastPass to complete phishing-resistant MFA.
Setup user verification during FastPass onboarding
Okta Verify’s enrollment process now supports user verification with a passcode in addition to biometrics. When end users enable this feature, they’ll be asked to confirm their passcode (i.e., typically their device login password or Windows Hello PIN, if applicable). This enhancement broadens accessibility, enabling all users to authenticate with Okta Verify and FastPass, regardless of device capabilities, personal constraints, or compliance requirements. This enhancement is currently available for Early Access (EA). Read the product documentation to learn more.
Require user verification for authentication to an application with FastPass
Now, when you edit or create a new authentication policy rule, you can require end users to prove they’re physically present to authenticate with FastPass. The end user can address this requirement via their system passcode or biometrics to verify their identity. This enhancement is currently Generally Available. Read the product documentation to learn more.
How is a device-bound passcode more secure than a password?
Understanding the distinction between a device passcode and an Okta password is essential for appreciating their different security implications. When FastPass is enrolled on a device, it leverages a unique device-bound key, typically stored within a component like a TPM or Secure Enclave when available. Access to this key, and thereby authentication to online applications or services, is gated either by biometrics or a local authentication method such as a device-bound passcode. This setup ensures the authentication process is signed with a key exclusive to that specific device, enhancing security. In contrast, your Okta password, a phrase or passcode stored on Okta’s servers, is designed to grant access from any internet-connected device. The critical difference is in the security model: While an Okta password could potentially be used from any device if compromised, the device-bound key remains secure and exclusive to the enrolled device. This means that even if an attacker learns the device-bound passcode, the key it unlocks is still only usable on that device. This mitigates potential phishing attacks, which might use a compromised passcode.
Don’t worry, Okta can’t see your biometric data
Data privacy and security regulations have been maturing for years to protect individuals from the overreach of technology, and they’re affecting the data practices of organisations in a big way. For example, the Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, has clear guidelines on handling biometric data, resulting in numerous cases impacting the finances and reputations of various businesses.
At Okta, our products don’t process or store biometric information. While Okta Verify and FastPass leverage biometrics — as provided by built-in biometric authenticators on laptops and smartphones — for two-factor authentication (2FA), Okta is only aware of the exchange of user verification cryptographic keys that indicates a successful biometric authentication and cannot access the biometric data. In other words, if an individual uses biometric information to authenticate on the Okta Verify application, Okta does not receive the biometric data. Instead, we receive notice of authentication failure or success from the local device operating system. The biometric data is controlled on the device, and whether or not the device stores the actual biometric information depends on the device provider. Whether you have an Apple device, a phone by Google, or some other computer, you can read more about their data privacy policies to learn how they handle biometric data.
As always, using biometrics is a choice. An admin or user can enable or disable biometrics technology anytime through the device settings. And now, with the option for user verification with a passcode, you can still enforce MFA alongside FastPass without biometrics.
What else is new with FastPass?
At Okta, we want to ensure your entire workforce can easily access their applications with FastPass as the most secure authenticator in the market. That means going beyond phishing-resistant authentication to deliver phishing-resistant FastPass recovery and onboarding processes for secure end-to-end authenticator management. To that end, Okta recently provided additional flexibility for administrators to enforce the use of higher security methods by end users for Okta Verify enrolment, which is Generally Available today under Authenticator settings.
In addition, Windows Okta Verify and FastPass support for virtual desktop infrastructure (VDI) environments is now Generally Available in Windows Okta Verify 4.9. Supported environments include Windows 365, Citrix, and AWS WorkSpaces. Admins can configure Windows Okta Verify to run in virtual environments by setting the AuthenticatorOperationMode flag (see instructions on how to configure Windows Okta Verify). For 2FA, admins can also configure Okta Verify to prompt users to create a passcode that will protect and allow access to a device-bound user verification key. This capability enables organizations to use FastPass and device posture checks to secure authentication flows in virtual Windows environments. For end users, this means secure and intuitive phishing-resistant access to resources from their virtual desktops.
We’re excited to continue innovating and improving product flexibility and visibility to help organizations move towards higher security assurance options with confidence. Stay tuned for more FastPass updates!
Have questions about FastPass or device security? Join the community discussion board.