Customize the Passkeys (FIDO2 WebAuthn) end-user experience

If a user hasn't enrolled a Passkeys (FIDO2 WebAuthn) authenticator, Okta prompts them to do so the next time they sign in. For the biometric method, they're prompted to do a fingerprint or facial recognition scan. For the security key method, they're prompted to insert their security key to complete the enrollment. Prompts guide the user through the process.

When users enroll a WebAuthn security key or biometric authenticator, they're prompted to allow Okta to collect information about the authenticator they're enrolling. Users must allow Okta to see the make and model of the security key. This allows each Passkeys (FIDO2 WebAuthn) authenticator to appear by name in the Extra Verification section of the user's Settings page.

Once enrolled, users can select Passkeys (FIDO2 WebAuthn) to authenticate their sign-in. They're prompted to do a fingerprint or facial recognition scan, or insert their security key. Prompts guide the user through the process. Users can configure a maximum of 10 Passkeys (FIDO2 WebAuthn) enrollments.

Customize the authenticator name and description

You can change how the Passkeys (FIDO2 WebAuthn) authenticator appears in the Sign-in Widget. You can set the authenticator name to one of the following options:

  • Passkeys

  • Custom name and description

    • Custom name field

    • Custom description field

To set a custom name and description for the authenticator, follow these steps:

  1. In the Authenticator name section, select Custom name and description.

  2. In the Custom name field, enter a custom name for the authenticator to guide end-users during enrollments and authentication.

  3. In the Custom description field, enter a description of the authenticator to display additional information to users during enrollments and authentication.

Configure the Sign in with a passkey button

Select the Show the "Sign in with a passkey" button checkbox to display the Sign in with a passkey button on the Sign-In Widget, allowing users with an enrolled passkey to authenticate quickly.

Users who don't have a passkey enrolled must authenticate with their username and an enrolled factor to add a new passkey before they can use the button.

Configure Passkeys Autofill

Passkeys Autofill encourages users to sign in using Passkeys (FIDO2 WebAuthn), making the sign-in process more efficient. This feature speeds up the authentication process as users don't need to enter a username, select an authenticator, or complete the MFA prompt.

Enable and disable Passkeys Autofill

  • To enable Passkeys Autofill, select the Enable autofill UI checkbox. Users see their enrolled passkeys as an option when they click their username on the sign-in page.
  • To disable Passkeys Autofill, clear the Enable autofill UI checkbox. Passkeys no longer appear in the username field and users must enter their username and choose their preferred security method.

End-user experience

To enroll a passkey, in the Okta End-User Dashboard, go to Account settings > Security Methods > Set up another Security Key or Biometric Authenticator.

Review the following information for passkeys use:

  • For the biometric method: If enrolled, biometric passkeys appear automatically when the user clicks the Username field.
  • For the security key method: Security keys don't appear automatically. To use a physical security key, you must click the option to use a different passkey, insert your hardware key, and follow the prompts in the browser.
  • If an expected passkey doesn't appear as an option, select the option to use a different passkey and try again.
  • If errors occur and you are prompted repeatedly to try a different key, don't unenroll a preregistered security key. Instead, remove the existing security key enrollment from your profile and enroll the hardware key again from the Okta End-User Dashboard.

Related topics

Passkeys (FIDO2 WebAuthn) support and behavior

Phishing-resistant authenticator enrollment