Desktop MFA for macOS

Desktop MFA for macOS adds an extra layer of security to the macOS sign-in process by asking users for other authentication factors before allowing computer access.

After you configure Desktop MFA in the Admin Console, you can deploy it through your Mobile Device Management (MDM) solution. This pushes a single, packaged installer to desktop computers. The user experience depends on which options you enable and how you configure the app sign-in policies for your org.

After you deploy Desktop MFA, users are prompted to set up one or more authentication methods to verify their identity. Users must configure at least one authentication method within the configurable sign-in limit. If the user goes over the limit, they're locked out of the computer and admin intervention is required to regain access.

Link accounts

Account linking on macOS creates a secure and streamlined sign-in experience by integrating macOS authentication with the identity management and MFA capabilities of Okta.

When you set up Desktop MFA for macOS, Okta links the user's local macOS user account with their Okta identity.

Instead of maintaining separate passwords for their local computer and Okta accounts, users can sign in using their Okta username, password, and an MFA factor. Desktop MFA supports the following authenticators:

• Online: Okta Verify Push, Okta Verify TOTP (Time-based one-time password), or a FIDO2 security key.

• Offline: Okta Verify TOTP.

See Link an end user account to macOS.

Tasks

• Create and configure the Desktop MFA app for macOS

• Download Okta Verify for macOS

• Configure and deploy Desktop MFA policies for macOS

• Link an end user account to macOS

• Optional. Enable Desktop MFA recovery for macOS

• Optional. Enforce number challenge for Desktop MFA for macOS

• Optional. Configure Desktop MFA for macOS to use FIDO2 keys

• Support your macOS Desktop MFA users