Desktop MFA for Windows

Desktop MFA for Windows adds a layer of security to the Windows sign-in process. It ensures that a user must prove their identity with extra factors to access their physical or virtual Windows machines.

After you configure Desktop MFA in the Admin Console, you can deploy it through your Mobile Device Management (MDM) solution. This pushes a single, packaged installer to desktop computers. The user experience depends on which options you enable and how you configure the app sign-in policies for your org.

Desktop MFA supports the following authenticators:

• Online: Okta Verify Push, Okta Verify TOTP (Time-based one-time password), or a FIDO2 security key.

• Offline: Okta Verify TOTP or an OATH-compliant security key.

Other Desktop MFA for Windows features:

• Desktop Password Autofill: Users can authenticate and gain access to their Windows systems through a passwordless experience. Users authenticate through a push notification to a registered mobile device. They can also use a FIDO2 security key.

• Self-Service Password Reset: Users can initiate a password reset directly from the Windows sign-in screen. This feature helps prevent lockouts and reduces the burden on IT help desks.

Before you begin

Ensure that you meet these requirements:

• Your Okta Identity Engine org is available.

• Your Windows computers are running either Windows 11 or Windows 10 (21H2) or later. See Supported platforms for Okta Verify.

• Active Directory or Microsoft Entra ID is configured.

• Any Windows virtual machine or device is joined to Active Directory or Microsoft Entra ID. Remote Desktop Protocol (RDP) access isn't supported.

• Okta Verify is configured as an authenticator in your org.

• Okta Verify push notifications are enabled.

• Users have Okta Verify installed on a mobile device.

• Any MDM solution, such as Group Policy or SCCM, is set up and available.

• .NET 4.8 is installed.

• For security reasons, Okta doesn't allow inspection or modification of traffic between Okta Verify and its endpoints. If you use an SSL proxy, exclude your organization's default Okta domains from inspection. Typically Okta domains are *.okta.com or *.oktapreview.com. For a complete list of Okta domains, see Allow access to Okta IP addresses.

Tasks

The tasks for Desktop MFA are divided into two sections. First you set up and configure the Desktop MFA app on the admin side. Then you can customize the user sign-in experience.

Set up Desktop MFA

• Create and configure the Desktop MFA app for Windows

• Download Okta Verify for Windows

• Deploy Desktop MFA to your Windows endpoints

• Configure and deploy Desktop MFA policies for Windows

Configure user experience

• Optional. Enable self-service password reset for Windows

• Optional. Enforce number challenge for Desktop MFA for Windows

• Optional. Configure Desktop MFA for Windows to use FIDO2 keys

• Optional. Configure Desktop Password Autofill for Windows

• Optional. Enable Desktop MFA recovery for Windows