Windows Desktop MFA user experience

Desktop MFA strengthens the security posture of Windows desktop computers by prompting users to verify their identity using multifactor authentication. Users must configure an offline verification method before gaining access to apps and data. This offline verification method enables secure access to the computer when the user is without an internet connection.

Before setup, users must meet these requirements:

  • Okta Verify installed on a mobile device. They can have Okta Verify installed in advance or install it as part of the Desktop MFA setup.

  • Okta Verify push notifications enabled for their mobile device.

After Desktop MFA has been configured and deployed, review the user setup and sign-in process, prepare communication for the rollout, and review support details.

User setup

  1. After the computer starts, the user is prompted to sign in to Windows. At this point, Desktop MFA checks if the user has enrolled an offline authentication method to sign in. If no offline enrollments are found, Desktop MFA prompts the user to add a verification method. It also displays the remaining sign-in attempts the user has before they're locked out of the computer.

  2. The user selects a method of offline verification to enroll: Offline one-time password or Offline security key.

  3. After the user clicks Set up, they receive a prompt to ensure that Okta Verify is installed. If the user doesn't have Okta Verify installed, they can select the appropriate App Store link to install the software.

    • Offline one-time password: After the user confirms that Okta Verify is installed, the system displays a QR code to scan using the Okta Verify app. The user is asked to enter the offline one-time password shown in Okta Verify. An Offline one-time password account with the Windows device name is added to Okta Verify. This account can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method.

    • Offline security key: After confirming that Okta Verify is installed, the user clicks Next. The user is prompted to insert and then tap the key to validate the device and the user. This adds an Offline security key account with the Windows device name to Okta Verify. This account can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method.

User authentication

After the computer starts, the system asks the user to either enter a username or select a user, and then enter a password. They then have to choose an authentication method to validate their identity.

If the user has more than one authentication method setup, they can select any method available to them.

The MFA options are:

  • Okta Verify push notification

  • Okta Verify one-time password

  • Security key (USB)

  • Offline one-time-password

  • Offline security key with OAuth support.

The Okta Verify push notification, Okta Verify one-time password, and FIDO2 keys can only be used with an internet connection.

When the user selects an authentication method, they need to complete the validation request:

  • For Okta Verify push notification, click Send push. Check the mobile device and confirm the sign-in attempt in the Okta Verify app.

  • For Okta Verify one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the sign-in field, and then click the arrow to proceed.

    If you enabled the enforced number challenge, then all push notifications sent to users for validation are number challenges, regardless of your authentication policy. See Enforce number challenge for Desktop MFA.

  • For Security key (USB), a PIN is required. Insert the security key into a USB port, and then enter the key's PIN. After the key is validated, the user is prompted to tap the security key to gain access to the device.

  • For Offline one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the Windows sign-in field and click the arrow to proceed.

  • For Offline security key, insert or tap the security key as prompted.

If authentication is successful, the user gains access to the Windows computer. The next time the user signs in to Windows, the last MFA method they used is automatically selected. To choose a different authentication method, the user must click Try another way and select an alternate method to verify their identity.

Desktop Password Autofill

When you enable the Desktop Password Autofill option, users can respond to a push notification or use a FIDO2 key to sign in to Windows without entering a password.

Requirements

  • The Windows computer must be online. If the computer is offline, the user can enter their password.

  • The user has either Okta Verify Push or a FIDO2 key enrolled as authentication factors.

  • If using Okta Verify Push, the user's Okta Verify account must have biometrics enabled.

Initial sign-in flow

The first time a user signs in to their Windows computer, they provide their username (if required), a password, and a factor challenge. This challenge is performed either through Okta Verify Push with biometrics, or a FIDO2 security key with a PIN.

After they successfully authenticate, the user is enrolled for password autofill.

Subsequent sign-in flow

The next time the user signs in to the computer, the user only needs to authenticate using their factor challenge. If the user enrolled using Okta Verify Push, they receive a push notification to their registered mobile device. Similarly for a FIDO2 key, the user must enter their FIDO2 key PIN.

After the user either responds to the push notification or enters their FIDO2 key PIN, they're granted access to the computer without requiring a password.

If the Windows computer is offline, or if the password autofill fails for any reason, the user can enter their password to sign in.

When a user's password is reset, the system prompts the user to enter the new password at the next sign-in attempt.

Similarly, if the SamAccountName (SAM) and UserPrincipalName (UPN) don't match, the system prompts the user to input their password at the next sign-in attempt.

Self-service password reset

If you enable the self-service password reset option, users can initiate a password reset if they've forgotten their password. Users must be online to reset their password.

When a user forgets their password, they click Forgot password? on the Windows computer. The user is asked to verify their identity with Okta Verify on the user's mobile device.

After the user's identity has been verified, they're prompted for a new password. This new password must meet the password requirements. When the password is successfully changed, the user receives a message saying Your password has been changed.

If the Okta username doesn't match either the SamAccountName (SAM) or the UserPrincipalName (UPN), self-service password reset isn't available. See Create and configure the Desktop MFA app integration.

Next step

Support your users