Configure the user verification type for Okta Verify for Windows

You can configure the user verification type for Okta Verify by using the UserVerificationType option when you deploy the app. To change the user verification type after deployment, uninstall Okta Verify and reinstall it with other configuration options. For configuration options, see Okta Verify configurations for Windows devices.

The default UserVerificationType depends on the value of AuthenticatorOperationMode. See Configure Okta Verify for physical or virtual Windows environments.

  • If AuthenticatorOperationMode is VirtualDesktopStatic or VirtualDesktopLayered, UserVerificationType defaults to OktaVerifyPasscode.

    If you deploy Okta Verify in a virtual environment and want to use a passcode for user verification, set the appropriate value for AuthenticatorOperationMode. UserVerificationType is then automatically set to OktaVerifyPasscode.

  • If AuthenticatorOperationMode is Normal, UserVerificationType defaults to WindowsHello.

    If you deploy Okta Verify on physical machines such as laptops or desktops, and want to use Windows Hello for user verification, no configuration is required.

User verification with Windows Hello

Set the UserVerificationType option to WindowsHello.

During enrollment, Okta Verify prompts users to enable Windows Hello confirmation.

Okta Verify prompts users to enable Windows Hello confirmation.

When the authentication policy requires two factor types or user verification, Okta Verify prompts users to confirm their identity with Windows Hello biometrics or PIN.

Okta Verify prompts users to authenticate with Windows Hello.

User verification with an Okta Verify passcode

Starting with version 4.9.0, Okta Verify supports user verification with an Okta Verify passcode. To enable it, set the UserVerificationType option to OktaVerifyPasscode.

During enrollment, Okta Verify prompts users to create a passcode with at least eight characters. The passcode is securely stored by the Windows operating system. Okta Verify doesn't store the user’s passcode.

Okta Verify prompts users to create a passcode.

When the authentication policy requires two factor types or user verification Okta Verify prompts users to confirm their identity with the passcode they created during enrollment. If the user enters an incorrect passcode, Okta Verify allows two more attempts.

Okta Verify prompts users to authenticate with a passcode.

If the device has a Trusted Platform Module (TPM) Okta Verify stores the passcode-protected user verification key in the TPM. If the user exceeds the incorrect passcode limit, the TPM ignores further requests from Okta Verify. In response, the user receives an error message from Okta Verify. They're prompted to restart the device to continue to use Okta Verify.

If a user continues to enter incorrect passcodes, the TPM might lock for a fixed period. Restarting the device may no longer allow the user to continue with Okta Verify. For details about the lockout, timeout, resetting, or clearing the TPM, see the manufacturer documentation.

Related topics

Okta Verify configurations for Windows devices

Configure Okta Verify for physical or virtual Windows environments