Okta FastPass uses FIDO2/WebAuthn under the hood; enroll it via the Factors API POST /api/v1/users/{userId}/factors with factorType 'token:software:totp' replaced by the correct type — for WebAuthn use factorType 'webauthn' and provider 'FIDO'.
The enrollment response includes an _embedded activation object with challenge and rpId; pass these to navigator.credentials.create on the client to complete the WebAuthn registration ceremony.
POST the resulting attestation data (clientDataJSON, attestationObject) back to the activation endpoint indicated in the response _links to complete enrollment.
Verify enrollment status by calling GET /api/v1/users/{userId}/factors/{factorId}; a status of 'ACTIVE' confirms successful enrollment.
For Okta FastPass (device-bound credential for Okta Verify app), enrollment is driven through the Okta Verify app via a deep link or QR code; the FIDO2 credential is created inside the app's secure enclave.
Known gotchas
Okta FastPass credentials are device-bound (not synced) by design; a user must re-enroll FastPass on each new device through the Okta Verify app.
The WebAuthn challenge issued by Okta is single-use; if the client-side ceremony fails after receiving the challenge, the user must restart enrollment to obtain a fresh challenge.
Okta enforces rpId alignment with the Okta org domain; custom domain configurations may require additional setup to ensure the rpId matches the domain serving the login page.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp