Part of the Okta FastPass Setup Guide.
ROLE REQUIRED
ZeroTek Administrator
ZeroTek Technician
BEFORE YOU BEGIN
This procedure assumes you have completed the steps to Activate Okta FastPass as an eligible verification option.
To allow passwordless access to apps, this procedure adds two rules to the authentication policy that governs the Okta Dashboard app:
A rule that allows users who meet FastPass requirements to authenticate
A catch-all deny rule that blocks access to anyone who doesn't
For most Okta orgs set up according to ZeroTek best practices, this means modifying the Any two factors policy.
Steps
Verify the correct policy
Deep Link or login to the target Okta Admin Console, then navigate to Security > Authentication Policies.
Verify that the Any two factors policy governs the Okta Dashboard app.
Create a FastPass allow rule
Click the Any two factors policy, then click Add rule.
Name the rule Auth - FastPass - Allow.
For AND User's group membership includes, select At least one of the following groups, then type the name of the group you are configuring for Okta FastPass. In most cases this will be Policy - All Staff.
Configure the following device settings:
AND Device state is: Registered
AND Device management is: Not managed
Configure the following access settings:
THEN Access is: Allowed after successful authentication
AND User must authenticate with: Any 2 factor types
AND Possession factor constraints are: Require user interaction (see Note below)
AND Authentication methods: Allow any method that can be used to meet the requirement
In the Prompt for authentication area, select When an Okta global session doesn't exist, then click Save.
NOTE
Selecting Require user interaction for possession factor constraints means users authenticating with Okta FastPass must approve an Okta Verify prompt.
Create a catch-all deny rule
Click Add rule.
Name the rule Catch All - Deny.
In the Then access is area, click Denied, then click Save.
Confirm rule order
Make sure the rules in the Any two factors policy are in the following order:
Auth - FastPass - Allow
Catch All - Deny
Catch All Rule
In the Verification options area, make sure Okta FastPass (All platforms) is selected.
In the Okta FastPass area, select Show the "Sign in with Okta FastPass".
In the Enrollment options area, leave the default Any method.
In the Device passcode or biometric user verification area, beside Enrollment, click Required.
For Number challenge for Okta Verify push, click Never, then click Save.
NEXT STEPS
As part of the Okta FastPass Setup Guide, you should now Make sure Okta Verify is installed and configured as required.
If you are working in a sandbox environment, you can test your setup now: install Okta Verify on a Windows or macOS device, add a user account from the configured group, and attempt to authenticate with Okta FastPass. If successful, you are ready to repeat the FastPass configuration in your production environment. See the full testing guidance in the Okta FastPass Setup guide.
Need help? Contact ZeroTek Support at support@zerotek.com.