Securing Browser Environments with Chrome Managed Profiles

Summary: Google Chrome's M141 release will introduce a new security prompt for Local Network Access on Windows, Mac and Android devices. This change by Google, is designed to prevent CSRF attacks and local network fingerprinting. This will affect Okta FastPass sign-ins because the feature invokes the native Okta Verify authenticator via the local server to complete the authentication process.

 

• Recommended Actions

 

Starting with Chrome M141 in September, Google will enforce a new Local Network Access permission prompt that affects Okta FastPass sign-ins on Windows, Mac and Android devices. This will also affect users who hit a registered condition in the authentication policy. This prompt is designed to mitigate CSRF attacks and local network fingerprinting by requiring explicit user permission for local network requests. Since FastPass relies on a local loopback server to complete authentication, users may experience sign-in interruptions unless properly configured. Okta has engaged with Google, identified viable mitigation options, and is implementing product updates, documentation changes, and customer communications to minimize impact.

This is a 3rd party change that affects users who authenticate with Chrome on Windows, Mac, and Android devices (iOS is not affected). If not properly configured by an admin, users may experience friction or confusion during sign-in.

See this KB article for more info.

Dates & Impacts

Google has indicated Chrome M141 releases on September 30, 2025. When Chrome M141 rolls out, Okta users signing in with FastPass will see the new Local Network Access prompt. This occurs because Okta’s loopback server (running locally) is necessary to bridge communication between Chrome and Okta Verify during the sign-in process. The prompt will also be seen by users who hit a registered condition in the authentication policy.

Recommended Actions  

• Admins should promptly notify their FastPass users to accept the local network access prompt that will appear from Chrome. It's important to communicate this change as soon as possible, as denying the prompt will degrade their user experience and could potentially lead to failed authentications.

• Admins should also provide instructions on how to re-enable local network access if a user has already blocked it.

If a user accidentally blocks the permission, it can be reset directly in Chrome's site settings for your Okta domain via the following steps:

1. While on your Okta sign-in page (identity.stedwards.edu), click the padlock icon (or tune icon) on the left side of the address bar to open the site settings menu.

2. Find the setting for Local network access.

3. Use the toggle to change the permission from 'Block' back to 'Allow'.

4. Reload the page. Okta FastPass should now work correctly.