Desktop MFA Recovery

Early Access release. See Enable self-service features.

When a user is unable to sign in to their computer because they don't have access to their Okta Verify enrolled MFA device or access to other authenticators, admin assistance is required to regain access. When Desktop MFA Recovery is enabled, users can contact an IT administrator to receive a time-limited device recovery PIN, which allows them to temporarily access the computer.

Be advised that your use of this feature may increase your attack surface if you don't implement policies or procedures to help your admin and support personnel authenticate the device, the user, and the request.

To configure Desktop MFA Recovery for macOS, a security setting must be enabled in the Admin Console. After Desktop MFA Recovery is enabled, admins with the appropriate permissions can view a recovery PIN to share with the user. The recovery PIN must be used within two minutes. If the user doesn't enter the correct recovery PIN within the time limit, the PIN expires and a new one must be generated.

After the user has gained access to the computer, they can reuse the recovery PIN for the duration set by the admin. Users should recover the Okta Verify enrolled MFA device as soon as possible to maintain secure access to their computer, or register a new MFA device.

Prerequisites

  • Device Access SCEP certificates before setting up Desktop MFA Recovery.

  • The user's macOS computer needs to have been online within the last seven days.

  • Super admins, help desk admins, and org admins must have the appropriate permissions to create or view recovery PINs. If you're using a custom admin role, OKTA_DEVICES_MANAGE permission is required. See Standard administrator roles and permissions.

Enable Desktop MFA Recovery

  1. In the Admin Console, go to Settings Features.

  2. Locate Desktop MFA Admin Recovery, and click the toggle to enable the feature.

  3. Go to Security General and scroll to the Okta Device Access section.

  4. Click Edit. Super admin access is required to enable the feature. If you don't see the Edit button, check your admin account access level.

  5. Using the dropdown menu, select Enabled.

  6. Click Save.

Configure Desktop MFA Recovery

After Desktop MFA Recovery is enabled in your org, use your MDM to push the configuration to devices. See Configure and deploy Desktop MFA policies.

  • Value name: DeviceRecoveryPINDuration

  • Description: How long the device recovery PINs are valid for after activation. Value is in minutes, with a maximum of five days (7200).

  • Default value: 60 minutes

Create device recovery PIN

When a user is unable to sign in to their computer because they don't have access to their Okta Verify enrolled MFA device or any other authenticators, they must contact their IT administrator to receive a device recovery PIN, which allows them to temporarily access the computer.

  1. When a user contacts your organization's IT department for assistance, the IT administrator must manually verify the user's identity in accordance with your company's policy.

  2. Have the user provide the model, make, and serial number of the computer they're unable to access. This helps confirm that the device is associated with the appropriate account. Users can see the computer name on the macOS login window.

  3. After the user's identity and device have been validated, open the Admin Console, and go to Directory Devices. You can also access the user's computer information from Directory People User Devices.

  4. Locate the user's computer using the serial number, computer name, or the user's name, and then click the device to open detailed information.

  5. In the Device Recovery column, click View Recovery PIN. A message appears with the user's name and a warning about the implications of generating a device recovery PIN. After reviewing the warning, click Generate device recovery PIN. The PIN is valid for two minutes.

  6. Share the PIN with the user, and remind them that they have two minutes to enter the PIN before it expires. Confirm that the user is able to sign in to their computer with the PIN. When the user successfully gains access to their computer, the PIN is valid for the duration configured with your MDM and the DeviceRecoveryPINDuration setting. You should share the duration with the IT department. See Configure and deploy Desktop MFA policies

  7. Optional. If the user lost their Okta Verify enrolled MFA device, click Reset authenticators to update their authenticator configuration. This allows the user to enroll a new device for MFA.

  8. Advise the user to recover the Okta Verify enrolled MFA device or register a new MFA device before the PIN expires. If the PIN expires, the user must contact the IT department to receive a new device recovery PIN, which starts the DeviceRecoveryPINDuration timer again.

To see the device recovery process from the user's side, review the information in Request a device recovery PIN.

Related topics

Get started with Desktop MFA for macOS

Configure FIDO2 keys

Device Access SCEP certificates

Support your Desktop MFA users