Device-Bound Single Sign-On
Early Access release. See Enable self-service features.
Device-Bound Single Sign-On is an Okta Device Access feature that allows you to create a hardware-protected identity session that binds a user's authentication to a specific device.
By cryptographically binding the session to the device hardware, you prevent session hijacking and cookie theft. The phishing-resistant session is shared across all browsers and platform-specific apps on the device, significantly reducing the number of MFA prompts your users receive.
How it works
Device-Bound Single Sign-On relies on the Okta-joined device state. A device becomes Okta-joined when it registers in the Universal Directory through a Device Access SCEP certificate and links the operating system profile to a primary Okta user.
When a user authenticates on a Okta-joined device, Okta creates a device session using a hardware-backed key stored in the device's secure hardware:
-
Windows: Trusted Platform Module (TPM)
-
macOS: Secure Enclave
Session creation
Exactly when the hardware-bound session is established depends on the operating system:
-
Windows: The session starts when the user signs in to Windows using Desktop MFA with an online factor. Alternatively, if the user signs in using an offline factor, the session starts after the first successful authentication to an Okta-protected app.
-
macOS: Unlocking or signing into the device doesn't create the device session. The session starts when the user performs an online authentication in a browser.
The hardware-bound session is established with Okta when the user attempts to access an app with a rule condition that has the Device State set to Registered. This rule can be at any priority level in the policy.
Ensure that you have this rule set for apps that users typically access first when they sign in to the device. This might include, for example, the Okta End-User Dashboard, a VPN client, or productivity apps.
Security and validation
Unlike standard browser cookies, the Device-Bound SSO session is strictly tied to the device hardware.
When a user attempts to access an Okta-protected app, Okta evaluates the device session against your app sign-on policy.
If the factors provided in the device session meet the assurance requirements defined in the app sign-in policy, then Okta grants the user seamless access.
Device-bound session duration
The device-bound session remains active until the user signs out of the device or an admin performs one of the following actions:
-
Suspend, deactivate, or delete the user. See Deactivate and delete user accounts.
-
Suspend, deactivate, or delete the device. See Device lifecycle.
-
Clear the user's Okta sessions. See Revoke all user sessions.
The device-bound session remains active when the user locks the device and resumes when they unlock the device.