Documentation
incode.com
  1. Integrations Ecosystem
  2. IAM Integrations
  3. Okta IDV Standard

Passwordless Sign-in with Okta IDV Standard

You can configure a passwordless sign-in experience using Incode IDV and Okta Fastpass. In this flow, users authenticate with Okta Verify with Fastpass instead of a password. Incode IDV is used during the initial enrollment step to verify the user's identity before Fastpass is provisioned to their device.

📘

Prerequisite

This guide assumes you have completed the Okta IDV Standard setup guide. The Incode IDV identity provider must be active in your Okta instance before configuring this flow.

Prerequisites

  • You have completed the Okta IDV Standard setup guide
  • Okta Verify is installed on users' devices
  • Okta Device Trust is configured for your organization
  • Familiarity with Okta Fastpass configuration and Okta passwordless sign-in setup

How it works

This flow uses Incode IDV as a one-time identity proofing step during Fastpass enrollment. It does not invoke Incode on every sign-in — only during the initial setup of Okta Verify on a user's device.

The enrollment sequence works as follows:

  1. A user's password is removed from their Okta profile and their authenticators are reset.
  2. The user opens the Okta Verify app and begins enrollment using your organization's domain.
  3. Okta's enrollment policy requires identity verification — Incode IDV is invoked and the user completes a document and biometric check on their device.
  4. On successful verification, Okta provisions Fastpass to the device.
  5. From that point forward, the user signs in using Okta Verify with Fastpass — no password required.

Set up guide

Step 1: Configure authenticators

  1. Log in to your Okta Admin Console.
  2. Navigate to SecurityAuthenticators.
  3. Edit Email and enable it for both Authentication and Recovery.

Step 2: Set up an enrollment policy

  1. Under Authenticators, select Enrollment.
  2. Edit an existing enrollment policy or add a new one tied to the group of users you want to enroll in passwordless (for example, a group named Incode Identity Verification).
  3. Set Email and Okta Verify as required authenticators in the policy.
📘

Tip

Okta recommends keeping admin users in a separate group with password access maintained to avoid locking out administrators.

Step 3: Create a passwordless authentication policy

  1. Navigate to SecurityAuthentication Policies.
  2. Create a new policy (for example, Passwordless Policy).
  3. Set the Catch-all Rule to Deny.
  4. Add a new rule with the following configuration:
    • Rule name — for example, Incode Passwordless
    • IF — User's group membership includes — your passwordless users group
    • THEN — User must authenticate with — Possession factor
    • In the Allowed Authenticators list, ensure only Okta Verify — Fastpass is shown. Use Allow specific authentication methods if additional control is needed.
  5. Assign the Okta Dashboard app to this policy.

Step 4: Update the Global Session Policy

  1. Navigate to SecurityGlobal Session Policy.
  2. Edit your Global Session Policy rule.
  3. Set Establish the user session with to Any factor used to meet the Authentication Policy requirements.
  4. Save the rule.

Step 5: Enroll and test

  1. Reset a test user's authenticators and remove their password from the user's Okta profile.
  2. Have the test user sign in to the Okta Verify app directly using your organization's domain.
  3. The user will be prompted to verify their identity via Incode IDV before Fastpass is provisioned to their device.
  4. After successful verification, confirm the user can sign in using Okta Fastpass without a password.
📘

If the test fails

If the user is not prompted for Incode IDV during enrollment, confirm that the enrollment policy is applied to the correct group and that Okta Verify is set as a required authenticator. If the user is prompted for a password, verify that the catch-all rule in the passwordless authentication policy is set to Deny and that the policy is assigned to the Okta Dashboard app.

Next steps

Updated about 2 hours ago