April 2024 : This is a Early Access feature.
In the next phase Okta Device Access enables end users to complete their challenge with a FIDO2 security key to login to their macOS devices.
In this blog post you will get an overview, how to setup FIDO2 authentication, how the user experience is looking like and some “good to know” hints.
Requirements
- Okta Identity Engine (OIE)
- Okta Desktop MFA configured:
– If you are using Workspace ONE UEM as your Mobile Device Management (MDM) solution you can follow this step by step guide
– If you are using JAMF Pro as your Mobile Device Management (MDM) solution you can follow this step by step guide - Okta Verify version 9.15 (Early Access) deployed on your macOS device
- User Verification settings configured based on security requirements and desired use cases
- FIDO2 Security Key enrolled for the user(s)
In this blog I am using different types of YubiKeys for the Demos and screenshots
Set up the FIDO2 (WebAuthn) authenticator
To enable users to authenticate with a FIDO2 key, set up the FIDO2 (WebAuthn) authenticator in the Okta Admin Console.
In the Okta Admin Console, go to Security –> Authenticators.
Click Add authenticator.
From the list of authenticators, click Add under FIDO2 (WebAuthn).
On the General settings page, click Edit.
Under Settings, use the dropdown menu to select a User verification method.
You can review the content below the setting to learn more about what each user verification type does.
In this blogs post I will cover the following settings
- User Verification Discouraged
- User Verfication Required
Click Add to save the settings.
Use Case – User verification “disabled”
In this section I will describe how the set up but also the user experience is looking like while we have User verification disabled in the FIDO2 settings and in the Desktop MFA Authentication Policy.
User registers a YubiKey using the Okta End-User Dashboard
There are several ways you can prepare a FIDO2 key for your users, in this example I will show how users can set up their own FIDO2 keys in the Okta End-User Dashboard.
Logged in to the Okta End-dashboard click on your User in the top right of the screen, afterwards click the Settings button.
Scroll down to the Security Methods menu and press the Set up button next to
Security Key or Biometric Authenticator
You need to verify your identity first, then you will be forwarded to the next step, press Set up
Click the Set up button
In my example I select the “Use a phone, tablet, or security key” option for my YubiKey
Now just insert and touch your YubiKey
and select Allow here
Back in your Okta End-User Dashboard you should see your YubiKey successfully set up.
Demos user registers a YubiKey
In this demo you can see how a user registers a YubiKey 5Ci via the Okta End-User Dashboard.
In the second demo you can see how a user registers a YubiKey C Bio via the Okta End-User Dashboard.
User Experience – Desktop MFA FIDO2 YubiKey
In the first step, the user must enter his macOS password
Select the FIDO2 factor
If the YubiKey is already plugged in the device just tap it.
Demo – Desktop MFA FIDO2 YubiKey
This demo shows the Desktop MFA login with a FIDO2 YubiKey Security Key without user verification enabled.
Use Case – User Verification “enabled”
In this use case and section I’ve enabled the User verification in the FIDO2 settings and in the Desktop MFA Authentication Policy, so we can see how the set up and user experience differs.
Register a YubiKey on behalf of user in the Admin Console
In this use case and example I will show how to manually configure a YubiKey for a users in the Okta Admin Console.
I used a YubiKey 5Ci for this setup the registration may vary for other models.
Let’s start the setup by navigating to Directory –> People
Search for the user and open the profile.
Click on More Actions and select “Enroll FIDO2 Security Key”
In the next screen click the Register button to continue
Another tab opens in the browser, please make sure that pop-ups are allowed in your browser.
Select Use a phone, tablet, or security key here
Now just insert and touch your YubiKey
As we’ve set the User verification in the FIDO2 (WebAuthn) setting to Required, we need to set up a new PIN for the YubiKey.
So set the PIN, confirm it and press the Next button to continue.
Touch your YubiKey to continue.
Select Allow to continue.
A message appears stating that the registration was successful.
Back in your Okta End-User Dashboard you should see your YubiKey successfully set up.
Demo – Register a YubiKey on behalf of user
In this demo you can see the registration process of a YubiKey 5Ci in behalf of a user via the Okta Admin Console.
User Experience – Desktop MFA FIDO2 YubiKey
In the first step, the user must enter his macOS password.
Select the desired MFA Auth
If the YubiKey is not already plugged in your device you will see the following message.
And here the last step to complete the a successful login with the YubiKey.
Demo – Desktop MFA FIDO2 YubiKey C Bio
If a user uses YubiKey C Bio Series the user experience is as follows.
Demo – Desktop MFA FIDO2 YubiKey 5ci
If a user uses YubiKey 5Ci the user experience is as follows, you must first enter the registered PIN before the login continues
Good to know
It is important to know when user verification is enabled in the Desktop MFA sign-on policy, it must also be enabled in the FIDO2 settings.
USB Restriction Mode on Apple silicon devices
On computers with an Apple silicon chip running macOS Ventura and up, Apple has introduced a USB Restriction Mode setting that determines if new or unknown USB devices, including YubiKey and FIDO2 keys, are allowed to connect.
YubiKey Enrollment
A big part of the challenge with deploying YubiKeys is the operational complexity (handling of keys, delivering the physical keys to end users, enrollment, recovery, etc).
At Oktane 2023, we announced the pre-enrollment of FIDO2 Yubikeys. This initiative and partnership helps to lower the complexity – but more importantly, bolster the security around rolling out FIDO2 Yubikeys with Okta by leveraging their Yubico Enterprise Delivery (YED) offering to remove as much friction as we can for admins to roll out these physical tokens.
Reset a YubiKey
During testing, it may sometimes be necessary to reset the YubiKey.
To do this you can use the YubiKey Manager with which you can also configure FIDO2, OTP and PIV functionality on your YubiKey on Windows, macOS, and Linux operating systems.
The tool works with any currently supported YubiKey.
You can download it here and I’ve also prepared a short demo how to reset your YubiKey.
User has no YubiKey registered
If a user has no YubiKey registered and tries to log in to the macOS device, the following error message appears during authentication
You will also see the errors in the OktaDeviceAccess.log file
this one is located in /var/log/com.okta.deviceaccess.
You can watch this in this short demo.
Demo – Desktop MFA initial setup with FIDO2 Yubikey login
This demo shows the complete flow when a user sets up Okta Device Access for the first time and then logs in to macOS with their FIDO2 key the next time.
Demo – FIDO2 Security Key already connected
Last but not least, a demo of what the user experience looks like when the YubiKey is already plugged into the device.
Conclusion
With this release we support the following macOS factors:
- Offline: Okta Verify one-time password
- Online: Okta Verify push, Okta Verify one-time password, FIDO2 YubiKeys
I hope you enjoyed reading this blog and watching the demos.
