Okta\u2019s FastPass Technical Whitepaper<\/a> outlines all authentication flows.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Benefits and Challenges of Okta FastPass<\/h2>\n\n\n\nBenefits<\/strong><\/p>\n\n\n\n
\n- Admins can use FastPass for passwordless authentication from any device or location into SSO apps.<\/li>\n\n\n\n
- Okta FastPass works with several different IdP flows.<\/li>\n\n\n\n
- There\u2019s no dependency on Active Directory (AD).<\/li>\n\n\n\n
- It\u2019s possible to enforce conditional access to limit access to managed, compliant devices if third-party Enterprise Mobility Management<\/a> (EMM) or Mobile Device Management<\/a> (MDM) has been configured for use with Okta\u2019s platform.<\/li>\n\n\n\n
- FastPass can be combined with device-level biometrics<\/a>.<\/li>\n<\/ul>\n\n\n\n
Challenges<\/strong><\/p>\n\n\n\n
\n- Okta lacks Unified Endpoint Management (UEM); third-party solutions such as JumpCloud must be configured to manage your devices.<\/li>\n\n\n\n
- Okta Classic Engine users that have deployed Device Trust must carefully deactivate it in order to adopt FastPass after upgrading to OIE. There\u2019s several caveats during the migration process<\/a> such as steps that are irreversible.\n
\n- Admins must confirm that enabling FastPass doesn’t disconnect remaining Device Trust users that remain enrolled in it to access managed apps. It should also still be possible to enroll new Okta Verify users. Users that are working from unmanaged devices should also be unaffected by these changes.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Customers must set up a certificate authority (CA) to distribute management certificates to desktop devices. FastPass is a universal Okta feature, but only users that are registered with Okta Verify using devices with a certificate are authorized to use it.<\/li>\n\n\n\n
- A mobile app is required for remote users. It can be deployed as a managed app, but that requires having a separate EMM\/MDM solution.<\/li>\n<\/ul>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"\/)
<\/p><\/div>
Note:<\/strong> Okta doesn\u2019t have Unified Endpoint Management (UEM). It relies on third-party MDM.<\/p><\/div><\/div><\/div>\n\n\n\n
What Is JumpCloud Go?<\/h2>\n\n\n\nJumpCloud Go enables secure passwordless authentication to JumpCloud-protected web resources on managed devices. Users can verify their identity using device authenticators with biometrics (Apple Touch ID and Windows Hello) versus password sign-in challenges. This improves security by simplifying the user login flow, reducing MFA fatigue, and minimizing password use. JumpCloud Go authentication also satisfies any User Portal MFA requirements.<\/p>\n\n\n\n
![\"JumpCloud](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/12\/JumpCloud-Go.png\")
<\/figure>\n\n\n\n<\/p><\/div>
Note:<\/strong> \nJumpCloud Go provides instant revocation when a user status changes from “active” to “suspended”. That’s possible because the platform has integrated identity and device management.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
How Does JumpCloud Go Work?<\/h2>\n\n\n\n
JumpCloud Go is built using open web standards. A device user refresh token (DURT) is generated by managed users on managed devices, which in turn grants access to the User Portal and SSO apps. JumpCloud Go supports macOS and Windows devices with specifications for Secure Enclave and Trusted Platform Module (TPM) 2.0.<\/p>\n\n\n\n
<\/p><\/div>
Note:<\/strong> JumpCloud integrates cross-OS device management with IAM. The platform architecture allows for Go to be extended with more holistic policies and device settings over time.<\/p><\/div><\/div><\/div>\n\n\n\n
The prerequisites<\/a> mandate that a JumpCloud agent has to be installed and running on macOS and Windows devices. At present, a Google Chrome browser with the JumpCloud Go browser extension must be installed. Admins can deploy it manually or by using Google\u2019s Chrome Browser Cloud Management (CBCM)<\/a>. Go is enabled through the centralized Admin Console without additional components. Enabling JumpCloud Go will automatically save it as an MFA factor. Users must configure biometrics on their devices to utilize them with JumpCloud Go. <\/p>\n\n\n\n
![\"JumpCloud](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/12\/JumpCloud-Go-2.png\")
<\/figure>\n\n\n\nJumpCloud Go vs. Okta FastPass<\/h2>\n\n\n\nJumpCloud Go and Okta FastPass serve a similar purpose, but their architectures are different. Those differences influence how the solutions are deployed as well as product use cases. JumpCloud\u2019s platform has integrated UEM, while Okta customers must choose a UEM provider.<\/p>\n\n\n\n
Let\u2019s explore some of those differences.<\/p>\n\n\n\n
Authentication<\/strong><\/p>\n\n\n\n
\n- JumpCloud Go uses a DURT to provide passwordless authentication that satisfies MFA requirements for SSO and the JumpCloud User Console. IAM and UEM are integrated, so only managed devices and users are ever registered to use Go. JumpCloud conditional access policies<\/a> deploy device trust certificates to desktops.<\/li>\n\n\n\n
- Okta\u2019s FastPass is built around PKI<\/a> using components including Okta OIE, and Okta Verify. It works in unison with external UEM to deliver a full solution.<\/li>\n\n\n\n
- Okta allows for PIV\/CAC cards as a step-up MFA for privileged resources. Using a DURT does not satisfy step-up MFA requirements at this time. However, JumpCloud integrates with device authenticators such as Windows Hello for added security.<\/li>\n<\/ul>\n\n\n\n
<\/p><\/div>
Note:<\/strong> \nJumpCloud has the ability for admins to lockout the whole computer, which effectively locks unauthorized users out of all browsers as well as native apps. Okta’s Universal logout can terminate browser sessions, but is reliant on SSO apps that support it. Okta lacks native endpoint management capabilities.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Deployment<\/strong><\/p>\n\n\n\n
\n- JumpCloud Go is deployed using a browser extension on managed devices. It\u2019s turned on using the Admin Console.<\/li>\n\n\n\n
- Okta admins must deploy Okta Verify apps, configure a CA, and integrate with an external UEM vendor.<\/li>\n\n\n\n
- JumpCloud Go will be launched on Linux, pending customer need.<\/li>\n\n\n\n
- Okta FastPass supports Android and Apple mobile devices. However, there are some prerequisites.\n
\n- FastPass requires a Safari extension in order to work without prompting users. Your MDM provider must support Apple\u2019s Extensible Single Sign-On framework to define extensions for MFA.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Integrated Device Management<\/strong><\/p>\n\n\n\n
\n- UEM is external to Okta, whereas JumpCloud Go can enforce device management. Subsequently, Okta FastPass doesn’t require devices to be managed.<\/li>\n\n\n\n
- The JumpCloud Go credential is secured and tied to login credentials for managed accounts on managed devices. Okta FastPass doesn\u2019t work that way.<\/li>\n\n\n\n
- Okta FastPass may be used for desktop single sign-on. JumpCloud Go is available exclusively for User Portal authentication at this time to protect apps and resources.<\/li>\n<\/ul>\n\n\n\n
Licensing<\/strong><\/p>\n\n\n\n
\n- Customers can get started with JumpCloud Go either by subscribing to the full platform<\/a> or by selecting JumpCloud’s device management and SSO SKUs.<\/li>\n\n\n\n
- There is a $1,500 annual contract minimum in all Okta plans<\/a>. There may be additional costs to deploy and manage on-premise components. Okta doesn\u2019t provide UEM, which must be obtained separately for a secure device state.<\/li>\n<\/ul>\n\n\n\n
<\/p><\/div>
Note:<\/strong> \nAccess JumpCloud\u2019s pricing comparison tool<\/a> and TCO calculator<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
User Experience<\/strong><\/p>\n\n\n\n
\n- Using a DURT creates a better end user experience with fewer interactive password authentications to access managed resources.<\/li>\n\n\n\n
- Both solutions offer configurable session settings.<\/li>\n<\/ul>\n\n\n\n
Get Started With JumpCloud Go<\/h2>\n\n\n\nAdmins can move more efficiently to secure privileged access from desktops to assets and eliminate MFA fatigue by using JumpCloud Go. JumpCloud\u2019s cross-OS device management makes it possible to restrict access to only managed devices that meet your security baselines.<\/p>\n\n\n\n
If you want to learn more about JumpCloud Go just drop us a note<\/a> or get started with a free trial<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Challenges<\/strong><\/p>\n\n\n\n
- \n
- Okta lacks Unified Endpoint Management (UEM); third-party solutions such as JumpCloud must be configured to manage your devices.<\/li>\n\n\n\n
- Okta Classic Engine users that have deployed Device Trust must carefully deactivate it in order to adopt FastPass after upgrading to OIE. There\u2019s several caveats during the migration process<\/a> such as steps that are irreversible.\n
- \n
- Admins must confirm that enabling FastPass doesn’t disconnect remaining Device Trust users that remain enrolled in it to access managed apps. It should also still be possible to enroll new Okta Verify users. Users that are working from unmanaged devices should also be unaffected by these changes.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Customers must set up a certificate authority (CA) to distribute management certificates to desktop devices. FastPass is a universal Okta feature, but only users that are registered with Okta Verify using devices with a certificate are authorized to use it.<\/li>\n\n\n\n
- A mobile app is required for remote users. It can be deployed as a managed app, but that requires having a separate EMM\/MDM solution.<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>
Note:<\/strong> Okta doesn\u2019t have Unified Endpoint Management (UEM). It relies on third-party MDM.<\/p><\/div><\/div><\/div>\n\n\n\n
What Is JumpCloud Go?<\/h2>\n\n\n\n
JumpCloud Go enables secure passwordless authentication to JumpCloud-protected web resources on managed devices. Users can verify their identity using device authenticators with biometrics (Apple Touch ID and Windows Hello) versus password sign-in challenges. This improves security by simplifying the user login flow, reducing MFA fatigue, and minimizing password use. JumpCloud Go authentication also satisfies any User Portal MFA requirements.<\/p>\n\n\n\n
<\/figure>\n\n\n\n<\/p><\/div>Note:<\/strong> \nJumpCloud Go provides instant revocation when a user status changes from “active” to “suspended”. That’s possible because the platform has integrated identity and device management.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
How Does JumpCloud Go Work?<\/h2>\n\n\n\n
JumpCloud Go is built using open web standards. A device user refresh token (DURT) is generated by managed users on managed devices, which in turn grants access to the User Portal and SSO apps. JumpCloud Go supports macOS and Windows devices with specifications for Secure Enclave and Trusted Platform Module (TPM) 2.0.<\/p>\n\n\n\n
<\/p><\/div>Note:<\/strong> JumpCloud integrates cross-OS device management with IAM. The platform architecture allows for Go to be extended with more holistic policies and device settings over time.<\/p><\/div><\/div><\/div>\n\n\n\n
The prerequisites<\/a> mandate that a JumpCloud agent has to be installed and running on macOS and Windows devices. At present, a Google Chrome browser with the JumpCloud Go browser extension must be installed. Admins can deploy it manually or by using Google\u2019s Chrome Browser Cloud Management (CBCM)<\/a>. Go is enabled through the centralized Admin Console without additional components. Enabling JumpCloud Go will automatically save it as an MFA factor. Users must configure biometrics on their devices to utilize them with JumpCloud Go. <\/p>\n\n\n\n
<\/figure>\n\n\n\nJumpCloud Go vs. Okta FastPass<\/h2>\n\n\n\n
JumpCloud Go and Okta FastPass serve a similar purpose, but their architectures are different. Those differences influence how the solutions are deployed as well as product use cases. JumpCloud\u2019s platform has integrated UEM, while Okta customers must choose a UEM provider.<\/p>\n\n\n\n
Let\u2019s explore some of those differences.<\/p>\n\n\n\n
Authentication<\/strong><\/p>\n\n\n\n
- \n
- JumpCloud Go uses a DURT to provide passwordless authentication that satisfies MFA requirements for SSO and the JumpCloud User Console. IAM and UEM are integrated, so only managed devices and users are ever registered to use Go. JumpCloud conditional access policies<\/a> deploy device trust certificates to desktops.<\/li>\n\n\n\n
- Okta\u2019s FastPass is built around PKI<\/a> using components including Okta OIE, and Okta Verify. It works in unison with external UEM to deliver a full solution.<\/li>\n\n\n\n
- Okta allows for PIV\/CAC cards as a step-up MFA for privileged resources. Using a DURT does not satisfy step-up MFA requirements at this time. However, JumpCloud integrates with device authenticators such as Windows Hello for added security.<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
JumpCloud has the ability for admins to lockout the whole computer, which effectively locks unauthorized users out of all browsers as well as native apps. Okta’s Universal logout can terminate browser sessions, but is reliant on SSO apps that support it. Okta lacks native endpoint management capabilities.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Deployment<\/strong><\/p>\n\n\n\n
- \n
- JumpCloud Go is deployed using a browser extension on managed devices. It\u2019s turned on using the Admin Console.<\/li>\n\n\n\n
- Okta admins must deploy Okta Verify apps, configure a CA, and integrate with an external UEM vendor.<\/li>\n\n\n\n
- JumpCloud Go will be launched on Linux, pending customer need.<\/li>\n\n\n\n
- Okta FastPass supports Android and Apple mobile devices. However, there are some prerequisites.\n
- \n
- FastPass requires a Safari extension in order to work without prompting users. Your MDM provider must support Apple\u2019s Extensible Single Sign-On framework to define extensions for MFA.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Integrated Device Management<\/strong><\/p>\n\n\n\n
- \n
- UEM is external to Okta, whereas JumpCloud Go can enforce device management. Subsequently, Okta FastPass doesn’t require devices to be managed.<\/li>\n\n\n\n
- The JumpCloud Go credential is secured and tied to login credentials for managed accounts on managed devices. Okta FastPass doesn\u2019t work that way.<\/li>\n\n\n\n
- Okta FastPass may be used for desktop single sign-on. JumpCloud Go is available exclusively for User Portal authentication at this time to protect apps and resources.<\/li>\n<\/ul>\n\n\n\n
Licensing<\/strong><\/p>\n\n\n\n
- \n
- Customers can get started with JumpCloud Go either by subscribing to the full platform<\/a> or by selecting JumpCloud’s device management and SSO SKUs.<\/li>\n\n\n\n
- There is a $1,500 annual contract minimum in all Okta plans<\/a>. There may be additional costs to deploy and manage on-premise components. Okta doesn\u2019t provide UEM, which must be obtained separately for a secure device state.<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
Access JumpCloud\u2019s pricing comparison tool<\/a> and TCO calculator<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
User Experience<\/strong><\/p>\n\n\n\n
- \n
- Using a DURT creates a better end user experience with fewer interactive password authentications to access managed resources.<\/li>\n\n\n\n
- Both solutions offer configurable session settings.<\/li>\n<\/ul>\n\n\n\n
Get Started With JumpCloud Go<\/h2>\n\n\n\n
Admins can move more efficiently to secure privileged access from desktops to assets and eliminate MFA fatigue by using JumpCloud Go. JumpCloud\u2019s cross-OS device management makes it possible to restrict access to only managed devices that meet your security baselines.<\/p>\n\n\n\n
If you want to learn more about JumpCloud Go just drop us a note<\/a> or get started with a free trial<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
- FastPass requires a Safari extension in order to work without prompting users. Your MDM provider must support Apple\u2019s Extensible Single Sign-On framework to define extensions for MFA.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n