Factors API, factorType: webauthn, provider: FIDO

I am trying to use the Factors API to enroll different factors for my tenant. I have been successful with many of the factors, but am stuck on ‘Security Key or Built-in Authenticator’.

I am able to use Okta’s Settings page to enroll my device. When I make an API call to see my factors, the factor is listed as factorType: webauthn with provider: FIDO.

I can’t find that factorType anywhere in the Factors API.

Can someone please point me in the right direction?


Some factors are yet to be supported through the api.

What kind of security key are you using?

I do see that Web Authentication (FIDO2) is an ‘Early Access’ feature. But I was hoping there was still someway of using the API, maybe the U2F flow?

I am using a couple of different YubiKeys.

I believe YubiKeys can be done by the API if you explore the postman collection (Factor’s lifecycle options) you can enroll the user by passing the body below:

“factorType”: “token:hardware”,
“provider”: “YUBICO”,
“verify”: {
“passCode”: “cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji”

FIDO2 is not yet possible.

Yes, YubiKeys can be done that way. But it also requires quite a bit of setup to use the YubiKey in that way. We may have 10k keys in use, and no one wants to plug all of them in, one at a time, to get them setup.

I’m sorry but that is kinda of the point of YubiKeys. You could try to contact Yubico to see if they offer a service to set them up for you but it will also require them getting someone to plug in the YubiKeys one at a time to set them up.

You could allow your users to setup the Yubikeys themselves which should help however there is no way to do this without plugging in each one.

Finally figured this one out. Here is how you do it:

First you enroll with a POST to the factors endpoint.

POST /api/v1/users/:uid/factors
     “factorType”: "webauthn",
     “provider”: "FIDO"

This will return a response that will include: response._embedded.activation that you will need for your call to navigator.credentials.create()

Use the credential that is returned from navigator.credentials.create() in your POST to the activate endpoint.

credential.response.attestationObject will be sent as “registrationData”
credential.response.clientDataJSON will be sent as “clientData”

So something like this:

POST /api/v1/users/:uid/factors/:factorid/lifecycle/activate

I have been trying to do the same i.e. do webauthn enrollment using Okta api. As per the webauthn documentation, origin is verified and if the enrollment is done using something other than Okta url, did it work for you?