Ability to show the enroll authenticator form after authentication completes

[Burnett2k]

Describe the feature request

My team is attempting to roll out some optional authentication options for users such as Passkeys. However, we cannot find a way to display this screen post authentication for existing users.
It appears widget can be initialized with a 'flow', but it is unclear if there's a way to tell it to show the "enroll-authenticator" page to prompt users to enroll in optional authenticators. We would like a way to specifically tell the widget to go to that screen.

New or Affected Resource(s)

Sign in widget

Provide a documentation link

https://github.com/okta/okta-auth-js?tab=readme-ov-file#endpointsauthorizeenrollauthenticatoroptions

It appears this may have been a feature of the classic sign in widget. YOu can see some references to this behavior here under the multiOptionalFactorEnroll option. The documentation states this is not supported in the new sign in widget.

Additional Information?

We are currently using the Okta v3 embedded sign in widget for Password and Email / OTP and those are working well.
We are now investigating using Webauthn for authentication, specifically Passkeys.
We want to roll this out to users so that after they've logged in with a password or OTP, they can then be prompted to enroll a passkey OPTIONALLY. Since the widget already handles the enrollment quite well, we want to utilize it for this flow.
So far, we have found this easier to setup for the register / create account flow. You can simply create an enrollment policy and set FIDO2 / webauthn to optional and the widget will then prompt you to set up optional authenticators once you have created your account.
However, we have found that when using the sign in widget this doesn't work for existing users. Even when we set up a auth policy for webauthn to be optional, they are never prompted to enroll in that authenticator after authenticating. The only way we have seen to make this work involves modifying webauthn to be required instead of optional. In that case, Okta will force the user to enroll in passkeys. But, that is not what we want. We want to give the users the Option to enroll in passkeys if they want rather than force it upon them by making the authenticator required.

I'm assuming this behavior is the same for all optional authenticators, but I could use some advice on if there's a way to have the widget go straight to the optional authenticator enrollment page post sign in, or some other way to accomplish this. The create account flow with optional authenticator at the end is pretty close to what we want, but can't seem to achieve that with okta config for the logging in side of things.

[RyAndrew]

+1
This would be a useful okta platform and widget enhancement.

It would be great if we could tell the widget "enroll this specific factor" to initiate the flow.
It would be great if we could force the optional enrollment screen to pop up within some criteria other than evaluation of enrollment policies against application access policies.

A decent workaround is to create a an application with a sign on policy that requires your new desired factor to be enrolled.
Your app can redirect the user to that application to force the enrollment prompt during login. It can also be displayed on their okta dashboard as an "easy button". I set the app "login url" to the okta dashboard "https://youroktadomain.com/app/UserHome" so the user ends up on the dashboard after enrollment.

I would also encourage you to look at enabling a new EA feature "End User Settings version 2.0". This provides a very end user friendly screen to enroll factors. https://support.okta.com/help/s/article/how-to-enable-end-user-settings-version-2-0?language=en_US

[Burnett2k]

hi @RyAndrew thanks for your input.

Unfortunately, this is for end users of an ecommerce application who will never have direct access to Okta dashboard, so we cannot rely on any solutions which require end user management or settings within the platform. I do wonder if it's possible to use the redirect flow you mentioned.

Do you have any code samples or articles showing this strategy? Our app already heavily relies on redirecting after authentication, so I'd hope we could simply create a new widget with different app config information to get the desired effect, and then proceed with the initial planned redirect.

Let me try and do a POC using a separate application and report back, but any more info you have would be helpful. Thanks.

[Burnett2k]

I created a POC to test out the technique of redirecting to a new application post-authentication, but am not having much luck. What I did was:

1. Create a new Okta application which requires FIDO2 authenticator
2. Sign in with existing widget and authenticate successfully
3. Post-authentication, I try and render a new widget with the new clientId (with a flow of 'login', to hopefully prompt the user to enroll in passkeys).
4. Instead of the widget rendering, it is simply blank with no clear errors in the network tab or in the javascript console.

I am still trying to debug, but so far it seems that once you are authenticated the Widget simply refuses to show anymore.

[Burnett2k]

@RyAndrew Do you have any further guidance on how to implement your suggestion? I'm starting to think widget cannot be used in this manner. It seems to think that if you're already authenticated, it should never show.

[RyAndrew]

I agree that the widget is not designed to solve this challenge. It sure would be great if it was able to programatically allow factor enrollment. This would alleviate the requirement to build the enrollment screens yourself.
I feel your best bet is after the user logs in, they should land on a page that would use the Okta API to detect which factors are enrolled and you can decide to send the user into an enrollment flow at that time. You would have to build the ui yourself 😢
https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor