Configure Desktop MFA app integration for Windows

Desktop MFA for Windows adds a layer of security to the Windows sign-in process by asking users for extra authentication before allowing computer access. When Desktop MFA for Windows is configured and deployed, users are prompted to set up one or more authentication methods to verify their identity. Users must set up at least one authentication method within the configurable sign-in limit. If the user goes over the limit, they're locked out of the computer and require admin intervention to regain access.

Configure Desktop MFA in the Admin Console, and then deploy it through your Mobile Device Management (MDM) solution. This pushes a single, packaged installer to desktop computers. The user experience depends on which options you enable and how the Okta org's authentication policies are configured. Desktop MFA supports the following authenticators:

• Online: Okta Verify push, Okta Verify one-time password

• Offline: Okta Verify one-time password, YubiKey versions 5.0 and up and with OATH support.

Desktop MFA for Windows also allows for passwordless login. Once enabled, users can authenticate and gain access to their desktop computers by responding to a push notification that's delivered to a registered mobile device.

Before you begin

Ensure that you meet these requirements:

• Your Okta Identity Engine org is available.

• Active Directory or Azure Active Directory is configured.

• Your Windows virtual machine or device is joined to Active Directory or Azure Active Directory. Remote Desktop Protocol (RDP) access isn't supported.

• The Okta Verify authenticator is set up in your org.

• Okta Verify push notifications are enabled.

• Users have Okta Verify installed on a mobile device.

• Any MDM solution, such as Group Policy or SCCM, is set up and available.

• Windows 10 version 1709 or later or Windows 11 is installed on the endpoints.

• .NET 4.8 is installed.

Remote Desktop Protocol (RDP) isn't supported.

If you use YubiKey, it must be series 5 or greater with OATH support. YubiKey Bio isn't supported.

If you use Windows Server, it must be version 2019 or newer. YubiKey isn't supported for offline authentication with Windows Server.

Before creating and configuring the Desktop MFA application, be aware of the following:

• YubiKey isn't supported for offline authentication with Windows Server.

• After installation, users may see two instances of Okta Verify in the Installed Programs list.

• It's not possible to downgrade Okta Verify.

Tasks

• Create and configure the Desktop MFA app integration

• Download Okta Verify for Windows

• Deploy Desktop MFA for Windows to your endpoints

• Configure Desktop MFA policies

• Enable self-service password reset

• Desktop Passwordless Login

Create and configure the Desktop MFA app integration

1. Sign in to your Okta tenant as a super admin.

2. In the Admin Console, go to SettingsAccountEmbedded widget sign-in support and ensure that the Interaction Code checkbox is selected.

3. In the Admin Console, go to ApplicationsApplications.

4. Click Browse App Catalog and search for Desktop MFA.

5. Click Add integration.

   If you get an error message saying This feature isn’t enabled, contact your account representative.

6. On the General Settings page, edit the application label or click Done to accept the default value. The Okta Verify integration app is created.

7. Click the app to configure it:

   1. On the Sign on tab, go to the Settings section and click Edit. Click the Application username format dropdown menu and select one of the following formats appropriate for your organization. The formats available in the dropdown menu are based on the configuration of your org.

      • AD employee ID

      • AD SAM account name

      • AD SAM account name + domain

      • AD user principal name prefix

      • Custom

      • Email

      • Email prefix

      • Okta

      • Okta username prefix

      The Application username format is the username used to sign in to the device. Having a designated username format allows Okta Verify to ensure that the user signing in is prompted for the correct factors. For example, if your org is configured with Active Directory, users sign in with domain\username or username@domain.

      If the username is the same as what is already used in Okta, it's recommend that you use Okta username prefix. Otherwise, use AD SAM account name or AD user principal name prefix, noting that AD user principal name prefix only works if the UPN prefix matches the SAM account name.

      If your environment is Azure-joined, the username format is the Azure Active Directory UPN (user principal name).

      If your environment is a mix of Azure Active Directory and Active Directory joined devices, you must create a separate Desktop MFA instance to handle different username formats. Hybrid environments aren't currently supported.

   2. On the Assignments tab, assign the app to relevant users or security groups.

   3. On the General tab, go to the Client Credentials section to find the client ID and secret. The identifier and secret are generated when you create the app integration. Make note of these values, as you need them when you deploy Desktop MFA for Windows using your MDM solution.

8. Click Save.

When the Desktop MFA app is integrated, a Desktop MFA authentication policy is added to your org. This policy verifies that users who try to sign in with Desktop MFA meet specific conditions, and enforces factor requirements based on those conditions. The Desktop MFA authentication policy shouldn't be modified for any reason. If necessary, you can create a separate authentication policy to meet the needs of your org. See Authentication policies.

Enable PIN or Biometrics for user verification

You can configure a passwordless sign-in experience for your users. This feature requires users to verify their identity with a PIN or using biometrics. Ensure that possession factor restraints are enabled in the Desktop MFA authentication policy, which is added to your org after the Desktop MFA app has been integrated. The policy verifies that users who try to sign in with Desktop MFA meet specific conditions, and enforces factor requirements based on those conditions.

Before enabling the passwordless sign-in feature, review the options for configuring biometrics with push notifications. See Authentication policies and User Verification with Biometrics for more information.

Download Okta Verify for Windows

Desktop MFA is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go to Settings Downloads and download Okta Verify for Windows (.exe). You must download the Okta Verify package from the Admin Console and not from an App Store. If the Okta Device Access product has been enabled for your organization, Desktop MFA can be configured and deployed. Contact your account representative for more information.

Next steps

Deploy Desktop MFA for Windows to your endpoints

Configure Desktop MFA policies

Enable self-service password reset

Enforce number challenge for Desktop MFA

Desktop Passwordless Login