WSU Recommendation

WSU only recommends WebAuthn (FIDO2 or biometrics) as an authenticator in specific controlled situations.

Support for WebAuthn is not universal. WebAuthn support is not available when using embedded browsers (such as Outlook). This limited support makes FIDO2 challenging to support for general use. However, FIDO2 provides very good security, so for specific applications, WSU does recommend FIDO2 as a supplemental authenticator.

Biometric login is a subclass of FIDO2 that uses the security of your phone or computer rather than an external token. Because the biometric authentication uses WebAuthn, it is subject to the same limitations as a FIDO2 token. 

The following resources can be used to view the pro's and con's of each MFA option:

How to Get a hardware FIDO2 token

Okta maintains a list of 126+ compatible tokens. Choose a token from the list of ITS supported hardware below, or confirm with ITS that a token is on the recognized list before making a purchase.

ITS supported FIDO2 hardware:

  • YubiKey 5 Series with NFC
  • YubiKey 5 Series
  • YubiKey Security Key C NFC
  • YubiKey Security Key NFC (available for purchase at Cortech on the Pullman campus)
  • Google Titan Security Key v2
  • Feitan BIoPass FIDO2 Plus Authenticator

Purchase the token from any commercial source.

How to Set Up a hardware FIDO2 token

Security Key on Windows (YouTube)

Security Key on Mac (YouTube)

  1. On account.wsu.edu, select the Manage Security Methods option, find the Security Key or Biometric Authenticator security method, and select Setup.
    Security Key or Biometric Authenticator setup option

  2. Verify with your current WSU password. If you already have an alternative security method enabled, you may also be prompted to complete MFA.
  3. Select Set up → for Security Key or Biometric Authenticator.
    Security Key or Biometric Authenticator setup prompt

  4. Additional setup instructions for Security Key or Biometric Authenticator will appear.
    Security Key or Biometric Authenticator setup instructions

  5. To configure a Security Key in Google Chrome on a Windows device:
        1. Select OK
          Set Up Security Key prompt

        2. Select OK.


        3. Plug in your specialized security key into your computer. (If you do not yet have a security key, please contact your local IT support team for more information about compatible devices and purchase options. You can also review Security Keys that WSU has tested.)


        4. Once successfully enabled, you will receive a You have successfully setup Security Key or Biometric Authenticator pop-up message. The Security Key or Biometric Authenticator security method will also have an option to Remove as needed.
        5. The first time you plug in your Security Key, the system will request that you create a PIN Number for your Security Key. Please be sure to keep your PIN as you cannot reset it, and the system will always ask for the PIN Number after you set it up, even if you remove and try to re-setup this USB Security Key again. (There may be a way to Reset Your USB Security Key PIN - but it isn't guaranteed to work with all keys). See this article from yubico for more information on FIDO2 PINs.
        8. Once you touch your security key at the end, the system finishes the setup.
        9. When you go to use your Security Key for MFA later, the system will ask for the PIN you set on the key and ask you to touch it again after you have plugged it in.
  1. Activate or log in to your account (how?)
  2. From login.wsu.edu, click your name then settings
  3. Select "Security Key or Biometric Authenticator" and click Set Up. If you already have one "Security Key or Biometric Authenticator", click Set up Another
  4. When prompted, insert the key and register it with Okta
  5. Log in to wsu.okta.com, click your name, then settings.
  6. Repeat steps 3 and 4.

How to Set up Biometric WebAuthn

Every web browser you use may require independent registration. You should assume that setting up Chrome and Firefox requires you to set up biometric authentication 2 separate times.

  1. On account.wsu.edu, select the Manage Security Methods option, find the Security Key or Biometric Authenticator security method, and select Setup.
    Security Key or Biometric Authenticator setup option

  2. Verify with your current WSU password. If you already have an alternative security method enabled, you may also be prompted to complete MFA.
  3. Select Set up → for Security Key or Biometric Authenticator.
    Security Key or Biometric Authenticator setup prompt

  4. Additional setup instructions for Security Key or Biometric Authenticator will appear.
    Security Key or Biometric Authenticator setup instructions
  5. To Set up Biometric Authenticator:
    1. Depending on your operating system, and web browser, your prompt to continue setting up this security method will provide different instructions. However, you do have to accept a prompt before proceeding.
    2. The following process is an example of configuring Biometric Authenticator for Touch ID in Google Chrome on a Mac device:
      1. Select the Your Chrome profile option.
        Passkey options in Google Chrome browser

      2. Select Continue.
        Create passkey prompt in Google Chrome browser

      3. Complete Touch ID or enter your computer password.
        Identity verification with Touch ID or password prompt on macOS

      4. Once successfully enabled, you will receive a You have successfully setup Security Key or Biometric Authenticator pop-up message. The Security Key or Biometric Authenticator security method will also have an option to Remove as needed.


    3. The following process is an example of configuring a Security Key in Firefox on a Windows device:
      1. Select Proceed.


      2. Plug in your specialized security key into your computer. (If you do not yet have a security key, please contact your local IT support team for more information about compatible devices and purchase options. You can also review Security Keys that WSU has tested.)


      3. Once successfully enabled, you will receive a You have successfully setup Security Key or Biometric Authenticator pop-up message. The Security Key or Biometric Authenticator security method will also have an option to Remove as needed.
  1. Activate or log in to your account (how?)
  2. From login.wsu.edu, click your name then settings
  3. Select "Security Key or Biometric Authenticator" and click Set Up. If you already have one "Security Key or Biometric Authenticator", click Set up Another
  4. When prompted, Follow your browser's wizard to set up Touch-ID, Face-ID, Windows Hello, or similar biometric login.
  5. Log in to wsu.okta.com, click your name, then settings.
  6. Repeat steps 3 and 4.

How to Use

  1. Enter your username to login in to login.wsu.edu
  2. Enter your password when prompted*
  3. When prompted to verify your account, if "Security Key or Biometric Authenticator" isn't presented, choose "Select another Auth..."
  4. Choose "Security Key or Biometric Authenticator"
  5. Click the blue "Verify" box
  6. When prompted, verify with your token or biometric identity data.

Further Reading: