Documentation
incode.com
  1. Integrations Ecosystem
  2. IAM Integrations
  3. Okta IDV Standard

Passwordless Sign-In with Okta IDV Standard

You can configure a passwordless sign-in experience using Incode IDV and Okta Fastpass. In this flow, users authenticate with Okta Verify with Fastpass instead of a password. Incode IDV is used during the initial enrollment step to verify the user's identity before Fastpass is provisioned to their device.

Prerequisites

Ensure you have the following before you begin:

  • Okta IDV Standard setup page complete
  • Okta Verify installed on users' devices
  • Okta Device Trust configured for your organization
  • Familiarity with Okta Fastpass and Okta passwordless sign-in configuration

Understand Passwordless Sign-In with IDV

This flow uses Incode IDV as a one-time identity proofing step during Fastpass enrollment. It does not invoke Incode on every sign-in, only during the initial setup of Okta Verify on a user's device. The enrollment sequence works as follows:

  1. The user's password is removed from their Okta profile and their authenticators are reset.
  2. The user opens the Okta Verify app and begins enrollment using your organization's domain.
  3. Okta's enrollment policy requires identity verification. Incode IDV is invoked and the user completes a document and biometric check on their device.
  4. On successful verification, Okta provisions Fastpass to the device.
  5. From that point forward, the user signs in using Okta Verify with Fastpass, no password required.

Set Up Passwordless Sign-In

Configure Authenticators

  1. Log in to your Okta Admin Console.
  2. Go to Security > Authenticators.
  3. Edit Email and enable it for both Authentication and Recovery.

Set Up an Enrollment Policy

  1. Under Authenticators, select Enrollment.
  2. Edit an existing enrollment policy or add a new one tied to the group of users you want to enroll in passwordless sign-in: for example, a group named Incode Identity Verification.
  3. Set Email and Okta Verify as required authenticators in the policy.
📘

Tip

Okta recommends keeping admin users in a separate group with password access maintained to avoid locking out administrators.

Create a Passwordless Authentication Policy

  1. Go to Security > Authentication Policies.
  2. Create a new policy: for example, Passwordless Policy.
  3. Set the Catch-all Rule to Deny.
  4. Add a new rule with the following configuration:
    • Rule name: For example, Incode Passwordless
    • IF—User's group membership includes: Your passwordless users group
    • THEN—User must authenticate with: Possession factor
    • In the Allowed Authenticators list, ensure only Okta Verify—Fastpass is shown. Use Allow specific authentication methods if additional control is needed.
  5. Assign the Okta Dashboard app to this policy.

Update the Global Session Policy

  1. Go to Security > Global Session Policy.
  2. Edit your Global Session Policy rule.
  3. Set Establish the user session with to Any factor used to meet the Authentication Policy requirements.
  4. Save the rule.

Enroll and Test

  1. Reset a test user's authenticators and remove their password from the user's Okta profile.
  2. Have the test user sign in to the Okta Verify app directly using your organization's domain.
  3. Confirm the user is prompted to verify their identity via Incode IDV before Fastpass is provisioned to their device.
  4. After successful verification, confirm the user can sign in using Okta Fastpass without a password.
⚠️

Warning

If the user is not prompted for Incode IDV during enrollment, confirm that the enrollment policy is applied to the correct group and that Okta Verify is set as a required authenticator. If the user is prompted for a
password, verify that the catch-all rule in the passwordless authentication policy is set to Deny and that the policy is assigned to the Okta Dashboard app.

What's Next