Jamf Connect Passwordless Login to macOS with Okta

New Contributor

Hi all,

Anyone know if it's possible to have entirely passwordless login to macOS using Jamf Connect and Okta? Would like to use TouchID and/or MFA Okta Verify Push.



Honored Contributor II

Doesn't not having a password defeat the point of Multi Factor Authentication? You are literally removing something you know (password) factor and going back to two factor authentication.


The TouchID part is not possible. TouchID is tied to the user Keychain, and that needs a password to unlock their Keychain and enable TouchID. 


As far as what can clear Okta authentication, that would be something you need to run by Okta. They do have a passwordless function, but it requires endpoint enrollment and a few other things. The idea if MFA is you want Multiple Factors of Authentication. If you take the password out, you just have user name and biometric, which is still just two factor. That and Biometric is likely just secured by a simple pin on the users phone, you have that pin and you can clear the biometric authentication.


You can configure macOS to auto log in a given account. However I am not sure if JAMF Connect will allow this, and I don't think touchID will work.

How to log in automatically to a Mac user account - Apple Support

Valued Contributor II

With the current state of macOS user authentication, this is not possible. Jamf Connect is combining two different authentication methods in to one seemless login process. Step 1 - Collect the user name and password from the user and authenticate against Okta (with any associated MFA) and thenStep 2 - Authenticate the SAME password against the local account. 

Currently macOS does not have any mechanism to login in to an account without knowing the password to the account. TouchID only works if the user account is locked (thus the user has already authenticated themselves). It does not work at the login screen. To do any form of passwordless authentication, Jamf Connect would have to authenticate the user to Okta, then obtain the user's password from Okta and initiate the local user login. But, no IdP would ever have a process that allows the password to leave it's systems. 

That being said, that is today. This is only my gut feeling, but I think Apple has long term plans for authentication. On Intel computers, FileVault authentication happens at the Firmware level, so Apple controls the authentication process. However, with Apple Silicon, FileVault unlock boots to an mini-O/S to prompt the user. In theory, Apple could open this up to third party authentication (Okta, Jamf Connect, etc.) How soon, if ever, will that happen. I don't know.