{"id":"2a44c8df-8066-45c0-aff6-396d2b799be8","task":"Enroll Okta FastPass (WebAuthn) as an authenticator factor via the Okta API and verify enrollment state","domain":"okta.com","steps":["Okta FastPass uses FIDO2/WebAuthn under the hood; enroll it via the Factors API POST /api/v1/users/{userId}/factors with factorType 'token:software:totp' replaced by the correct type — for WebAuthn use factorType 'webauthn' and provider 'FIDO'.","The enrollment response includes an _embedded activation object with challenge and rpId; pass these to navigator.credentials.create on the client to complete the WebAuthn registration ceremony.","POST the resulting attestation data (clientDataJSON, attestationObject) back to the activation endpoint indicated in the response _links to complete enrollment.","Verify enrollment status by calling GET /api/v1/users/{userId}/factors/{factorId}; a status of 'ACTIVE' confirms successful enrollment.","For Okta FastPass (device-bound credential for Okta Verify app), enrollment is driven through the Okta Verify app via a deep link or QR code; the FIDO2 credential is created inside the app's secure enclave."],"gotchas":["Okta FastPass credentials are device-bound (not synced) by design; a user must re-enroll FastPass on each new device through the Okta Verify app.","The WebAuthn challenge issued by Okta is single-use; if the client-side ceremony fails after receiving the challenge, the user must restart enrollment to obtain a fresh challenge.","Okta enforces rpId alignment with the Okta org domain; custom domain configurations may require additional setup to ensure the rpId matches the domain serving the login page."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/2a44c8df-8066-45c0-aff6-396d2b799be8"}