aarongranick-okta
commented
4 years ago @yapici To confirm, you are running on a MacOS computer? What factor types have you enabled under Security > Multifactor in the Okta Admin UI?
Open yapici opened 4 years ago
aarongranick-okta
commented
4 years ago @yapici To confirm, you are running on a MacOS computer? What factor types have you enabled under Security > Multifactor in the Okta Admin UI?
yapici
commented
4 years ago @aarongranick-okta, I am running this on a MacOS computer. I have Okta Verify and Security Key or Biometric Authenticator with 'MacBook Touch ID' enabled.
aarongranick-okta
commented
4 years ago @yapici Try setting the webauthn feature to true as described here: https://github.com/okta/okta-signin-widget#feature-flags
yapici
commented
4 years ago This helped. Now I don't get that error. I do get a different error though. When I enter my credentials, I get an alert box saying You're using a security key that's not registered with this website. I click 'Try again' button on the alert box, and it lets me choose either USB security key or Built-in sensor. I choose one, and get this error on the widget: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client
magizh-okta
commented
4 years ago @yapici can you please confirm that for the particular user you have enrolled the macbook touch id as a 'webauthn' enrollment ? Also please note that when you are using the same chrome profile that you enrolled the touchid with to verify as well. Chrome ties the chrome profile to webauthn enrollment.
You can check for user enrollment in admin UI or user's enduser setting. IF you are not sure i would reset the existing enrollment and try new enrollment just to be sure.
yapici
commented
4 years ago @magizh-okta, the user is enrolled in macbook touch ID. They use the same Chrome session to log in to the system via the signin widget. Do you know if I have to add anything additional to my JS code to enable this?
magizh-okta
commented
4 years ago @yapici can you try accessing your okta org url and login as this user using webauthn to make sure that works. Can you also provide more context as to how you are hosting the SIW, have you added the host url to trusted urls ?
yapici
commented
4 years ago @magizh-okta, of course; context is important. I'm sorry for not providing more details earlier: We're using the SIW in a custom web app that is used within the company intranet. We use the SIW to get a session token first, then use that token to get an access token via @okta/okta-auth-js. We use the access token in our backend (python) to authorize the user via Okta oauth2/v1/introspect endpoint. Host URL is added to the trusted URLs list.
User can access the Okta org URL fine and can log in without any issues. They could also log in to other applications without an issue but none of the other applications are using the SIW.
magizh-okta
commented
4 years ago @yapici thanks for providing the context. Since webauthn protocol ties the enrollment to the host url the current behavior is that you need to enroll from the same app url in order to user it for verification for that app. Can you try deleting your enrollment and enroll into webauthn form the same app.
yapici
commented
4 years ago Thanks for the information @magizh-okta. Does this mean users cannot use their enrollment for multiple apps? We use Okta in our organization as the SSO service for multiple apps and our app is the only one that utilizes SIW. If I ask the users to re-enroll through our app, that will probably break their login for all the other applications. Besides, asking the whole user base to re-enroll via our app isn't feasible, as this is just one app among many within the organization. Is there a way to make it work with their existing enrollment? Users usually enroll via our organization's Okta page directly (i.e., https://<organization-name>.okta.com/enduser/settings.)
If using their existing enrollment isn't possible, we will just put a warning asking them to use their phone instead.
martin3walker
commented
2 years ago I'm facing a very similar issue with my organization. Was there ever a solution found for this?
dazandren
commented
1 year ago Mutual of Omaha logo Windows Hello Windows Hello can only be used on Windows Edge with Windows 10. Contact your admin for assistance. Back to sign in
I'm having the same issue with one website, all the others work fine. using microsoft edge browser on windows 11. have tried to login using multiple browsers (chrome, firefox, opera) to no avail. even tried to login with a laptop (edge) and my iphone (edge and safari), same message. company says it's not their issue, that it's on my end, but their website is the only one this happens on. i'm stumped.
gt-bb-0821
commented
7 months ago @yapici We also have some user reports of this issue. Do you remember the steps you took to resolve this? Is there a known fix for this?
I'm submitting a
Background info
I'm trying to log in to Okta via a custom web application that uses okta-signin-widget. I'm getting this error after entering my credentials and approving the 2FA with my biometric key (i.e., USB Biometric Authenticator):
"Windows Hello can only be used on Windows Edge with Windows 10. Contact your admin for assistance."
It works fine with phone 2FA.
Expected behavior
I expect the login to go through
What went wrong?
Error: "Windows Hello can only be used on Windows Edge with Windows 10. Contact your admin for assistance."
Your environment