Device registration binds a user to the Okta Verify app instance on the device. Each registered device is a unique object in the Okta Universal Directory and is visible on the Devices page.
Device registration is only possible through Okta Verify enrollment. Admins can't create devices.
End users register devices by enrolling (adding an account) in Okta Verify using any of the following methods:
- On a desktop or mobile device, open the Okta Verify app, and then tap or click Add an account.
- On a mobile device, scan the Okta Verify app QR code that is displayed on the desktop computer, open the activation link sent by email or short message service (SMS) app, or use a secret key.
How does it work?
- When end users add an account in Okta Verify, they’re prompted to prove their identity. They can do this by entering their username, password, and (if required by the Global Session Policy providing an additional authenticator (2FA).
- If the authentication is successful, a unique key is created and stored on the device. The key is stored in a hardware-backed keystore (for example, the Trusted Platform Module, or Secure Enclave) or in a software-backed keystore.
- Okta creates a device record in the Universal Directory, which binds the user to the device and Okta Verify app instance. The device is registered in Okta and appears on the Devices page of the Okta Admin Console (Directory > Devices).
- When end users access an Okta-managed app from the device, Okta probes the device to determine if:
- Okta Verify is installed on the device
- The device is registered (an account has been added to Okta Verify)
- The device is managed by a device management solution
- Secure hardware is present (TPM, Secure Enclave)
- The Proof of Possession key is hardware protected