The following instructions are for adding a Security Key or Biometric authenticator (such as a fingerprint scanner) as a factor for Okta Multi Factor Authentication. You will need to have read and completed the initial instructions at Multi Factor Authentication (MFA) Setup for Okta before completing the following instructions.


  • In order to use this option the biometric device MUST be installed and configured on your device in advance. On Mac and Windows devices with inbuilt sensors, they MUST be pre configured and set up with your finger print or face ID before proceeding with this option. If you require any assistance with this please contact the ICLT service desk.

  • Note that when you enrol a biometric factor, it is tied to that device. E.G. if you enrol touchID on a MacBook, you cannot then use that as a second factor to log in on your phone or a different computer. For this reason we recommend that you also enrol another factor after enrolling your biometric factor.


  • You can either watch the video link here:, or follow below.

  • Press the setup button under Security Key or Biometric Authenticator

  • Press the Enrol Button

  • If you are using Google Chrome as your browser you will be presented with the following:

  • Select This device then on the next screen press continue.

  • If you are using a Mac you will be prompted to enter your username and password to allow it to use touch ID and that is it.

  • If you are using Safari you will be prompted with the following:

  • Use the fingerprint sensor on your mac and and that is it, you have now successfully enrolled a biometric factor.

  • You can continue to add other factors by following the instructions via the Multi Factor Authentication (MFA) Setup for Okta page.

Trusting Your Device

Once you have set up your Security Key or Biometric MFA factor as above, you will then be shown an MFA prompt each time you sign in to certain services (such as ESS, Compass, Google, etc.). When you are shown the MFA prompt, you will be given the option "Do not challenge me on this device again" as in the following screenshot:

Checking this option means that you will no longer be prompted for MFA when logging in to that particular service on that particular device/browser (ie you will need to check the option the first time you log into each service such as ESS, Compass, Google etc.).

Note that you may still be shown an MFA prompt if you clear your browser's cookies, change between browsers (or devices), or after a period of time.