Passwordless Sign-in with Okta IDV Standard

You can configure a passwordless sign-in experience using Incode IDV and
Okta Fastpass. In this flow, users authenticate with Okta Verify with
Fastpass instead of a password. Incode IDV is used during the initial
enrollment step to verify the user's identity before Fastpass is provisioned
to their device.

📘
Prerequisite
This guide assumes you have completed the
Okta IDV Standard
setup guide. The Incode IDV identity provider must be active in your Okta
instance before configuring this flow.

Prerequisites

You have completed the
Okta IDV Standard
setup guide
Okta Verify is installed on users' devices
Okta Device Trust is configured for your organization
Familiarity with Okta Fastpass configuration and Okta passwordless
sign-in setup

How it works

This flow uses Incode IDV as a one-time identity proofing step during
Fastpass enrollment. It does not invoke Incode on every sign-in — only
during the initial setup of Okta Verify on a user's device.

The enrollment sequence works as follows:

A user's password is removed from their Okta profile and their
authenticators are reset.
The user opens the Okta Verify app and begins enrollment using your
organization's domain.
Okta's enrollment policy requires identity verification — Incode IDV is
invoked and the user completes a document and biometric check on their
device.
On successful verification, Okta provisions Fastpass to the device.
From that point forward, the user signs in using Okta Verify with
Fastpass — no password required.

Set up guide

Step 1: Configure authenticators

Log in to your Okta Admin Console.
Navigate to Security → Authenticators.
Edit Email and enable it for both Authentication and Recovery.

Step 2: Set up an enrollment policy

Under Authenticators, select Enrollment.
Edit an existing enrollment policy or add a new one tied to the group
of users you want to enroll in passwordless (for example, a group named
Incode Identity Verification).
Set Email and Okta Verify as required authenticators in the
policy.

📘
Tip
Okta recommends keeping admin users in a separate group with password
access maintained to avoid locking out administrators.

Step 3: Create a passwordless authentication policy

Navigate to Security → Authentication Policies.
Create a new policy (for example, Passwordless Policy).
Set the Catch-all Rule to Deny.
Add a new rule with the following configuration:
- Rule name — for example, Incode Passwordless
- IF — User's group membership includes — your passwordless users
  group
- THEN — User must authenticate with — Possession factor
- In the Allowed Authenticators list, ensure only Okta Verify —
  Fastpass is shown. Use Allow specific authentication methods if
  additional control is needed.
Assign the Okta Dashboard app to this policy.

Step 4: Update the Global Session Policy

Navigate to Security → Global Session Policy.
Edit your Global Session Policy rule.
Set Establish the user session with to Any factor used to meet
the Authentication Policy requirements.
Save the rule.

Step 5: Enroll and test

Reset a test user's authenticators and remove their password from the
user's Okta profile.
Have the test user sign in to the Okta Verify app directly using your
organization's domain.
The user will be prompted to verify their identity via Incode IDV before
Fastpass is provisioned to their device.
After successful verification, confirm the user can sign in using Okta
Fastpass without a password.

📘
If the test fails
If the user is not prompted for Incode IDV during enrollment, confirm
that the enrollment policy is applied to the correct group and that Okta
Verify is set as a required authenticator. If the user is prompted for a
password, verify that the catch-all rule in the passwordless
authentication policy is set to Deny and that the policy is assigned
to the Okta Dashboard app.

Next steps

Updated 20 days ago