Enable Okta Passwordless authentication in 5 minutes

Enable Okta Passwordless authentication in 5 minutes

Passwordless is a big topic these days and the benefits of going passwordless are often described and well documented. But what about the setup? This guide is intended to show you how you can configure passwordless authentication in Okta easily and securely.

Andreas is a cloud architect in Cloudworks and an Okta Technical Champion. He is helping customers on their digital Identity journey by designing and implementing complex IAM solutions. These have a high amount of automation to achieve high impact with minimal user friction.

PREPARATION 

Passwordless Authentication for Okta relies on Factor Sequencing and Okta Verify. To set up Factor Sequencing, you need to make sure that your license package allows you to use Factor Sequencing. If so, open a support ticket asking for “Factor Sequencing” to be enabled in your tenant. Normally, you enable Okta features yourself, but this is not (yet) the case for Factor Sequencing.

Enabling a Factor Sequencing policy might change the layout of the login form and affects all users. Instead of one form asking for username and password it will ask for a username first, require the user to click next and then the factor configured for the user object (password or passwordless) will be presented.

Okta-Sign-In-1

Okta Verify is the Okta authenticator app and an easy “go to” for MFA use. Hopefully you’ve already established Okta Verify in your environment, but even if not, you can activate it through a Multifactor Enrollment policy for users. If it is defined as “optional”, users targeted by the policy are allowed to use it if they’ve installed Okta Verify on their Android or iOS smartphone.²

The answer for the support case for activating features usually doesn’t take long, but depending on your time zone and support level you might need to wait a bit.

Once the feature is activated, you are ready to start.

Figure 1 - Login form with Factor Sequencing (or IDP Discovery) enabled. The password will be requested after clicking on "next".

Minute 1: CREATE TEST GROUP

Instead of reaching out to a wide audience from the start, we want to enroll users into passwordless gradually. Therefore we’re going to create a test group like “Enroll Passwordless” with one or a few test users included.

Create-Test-group
Figure 2 - Create test group "Enroll Passwordless"

Minute 2: CREATE SIGN-ON POLICY

Create-Sign-On-Policy-for-Passwordless-Group

When Factor Sequencing has been activated by Okta support, the interface and options relating to Sign-On Policies change a bit. Existing ones aren’t affected, but we now have more options available.

To activate Passwordless for the created group, we also create a new Sign-On Policy under Security -> Authentication -> Sign-On and assign it to the newly created group.

Figure 3: Create Sign-On Policy for Passwordless Group 

Minute 3: ADD RULE TO PASSWORDLESS POLICY

Figure-4-Sign-On-Rule-Generic-options

1. Defining name and the general options

After you’ve clicked “Create Policy and Add Rule,” the Add Rule dialog automatically opens to create the first rule in the policy.

Here you need to define a name and the general options. It depends a bit on your environment, so you might want to change this. In our example we leave it to standard.

 
 
 
 
 
 
 
Figure 4: Sign On Rule - Generic options
 

2. Defining which authentication chain

Figure-5-Passwordless-Authentication-ruleThe second part is where the magic happens, here we select “Factor Sequence” as the authentication method and now we can define which authentication chain a user gets offered.

It can be only one (passwordless) or multiple ones, for example if you want to give users of the group the choice between passwordless and password with MFA.

                                                                                                           
Figure 5: Passwordless Authentication rule                      
 

To define a passwordless authentication chain you simply select “Okta Verify Push” and no “Additional Authentication”. Okta Verify is already considered a secure form of authentication, so you don’t need an additional factor to fulfill a strong security setting.

3. Additional chain with password & MFA

In our example we will now also add an additional chain with password and MFA. 

Figure-6-Additional-Authentication-Chain-Password-with-MFA

Thereby giving users the choice if they do not have a smartphone or are not able to download and install Okta Verify just now.

To do that click on “Add Authentication Chain” and select “Password” and “SMS Authentication” as the additional authentication. 

Figure 6: Additional Authentication Chain Password with MFA

Define the session lifetime based on your needs and click on “Create Rule”. After that make sure that policy and the rule are both “ACTIVE” and high in the priority list so that the intended users will be targeted by the policy. If another policy is higher in the priority list and applies to the user, they will not get the passwordless options.

MINUTE 4: Test

Now go to the Okta login page and enter a username of one of the users in the test group and click “next”.Figure-7-Passwordless-Push

If the user already has Okta Verify Push enrolled, you’ll find that you can just send the push notification right now.

Note that you have a selection available next of the round Okta icon. This is the second option we defined in the Sign-On Policy “Password with SMS”. Make sure you test this option as well after testing Passwordless. 

Figure 7 - Passwordless Push                                 

Click “Send Push”, acknowledge the request in Okta Verify and you’re through.

MINUTE 5: Reflect and look good!

Cloudie-Coffee-300x300

That's it. Have a cup of coffee and enjoy your work!

You’ve activated passwordless.

Spread the joy and invite others into the group to try and test the authentication methods and see how easy it is.