Windows Desktop MFA user experience
Desktop MFA strengthens the security posture of Windows desktop computers by prompting users to verify their identity using multifactor authentication. Users must configure an offline verification method before gaining access to apps and data. This offline verification method enables secure access to the computer when the user is without an internet connection.
Before setup, users must meet these requirements:
-
Okta Verify installed on a mobile device. They can have Okta Verify installed in advance or install it as part of the Desktop MFA setup.
-
Okta Verify push notifications enabled for their mobile device.
After Desktop MFA has been configured and deployed, review the user setup and sign-in process, prepare communication for the rollout, and review support details.
User setup
-
After the computer starts, the user is prompted to sign in to Windows. At this point, Desktop MFA checks if the user has enrolled an offline authentication method to sign in. If no offline enrollments are found, Desktop MFA prompts the user to add a verification method. It also displays the remaining sign-in attempts the user has before they're locked out of the computer.
-
The user selects a method of offline verification to enroll: Offline one-time password or Offline security key.
-
After the user clicks Set up, they receive a prompt to ensure that Okta Verify is installed. If the user doesn't have Okta Verify installed, they can select the appropriate App Store link to install the software.
-
Offline one-time password: After the user confirms that Okta Verify is installed, the system displays a QR code to scan using the Okta Verify app. The user is asked to enter the offline one-time password shown in Okta Verify. An Offline one-time password account with the Windows device name is added to Okta Verify. This account can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method.
-
Offline security key: After confirming that Okta Verify is installed, the user clicks Next. The user is prompted to insert and then tap the key to validate the device and the user. This adds an Offline security key account with the Windows device name to Okta Verify. This account can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method.
-
User authentication
After the computer starts, the system asks the user to either enter a username or select a user and then enter a password. They then have to choose an authentication method to validate their identity.
If the user has more than one authentication method setup, they can select any method available to them.
The MFA options are:
-
Okta Verify push notification
-
Okta Verify one-time password
-
Security key (USB)
-
Offline one-time-password
-
Offline security key with OATH support.
The Okta Verify push notification, Okta Verify one-time password, and FIDO2 keys can only be used with an internet connection.
When the user selects an authentication method, they need to complete the validation request:
-
For Okta Verify push notification, click Send push. Check the mobile device and confirm the sign-in attempt in the Okta Verify app.
-
For Okta Verify one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the sign-in field, and then click the arrow to proceed.
If you enabled the enforced number challenge, then all push notifications sent to users for validation are number challenges, regardless of your authentication policy. See Enforce number challenge for Desktop MFA.
-
For Security key (USB), a PIN is required. Insert the security key into a USB port, and then enter the key's PIN. After the key is validated, the user is prompted to tap the security key to gain access to the device.
-
For Offline one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the Windows sign-in field and click the arrow to proceed.
-
For Offline security key, insert or tap the security key as prompted.
If authentication is successful, the user gains access to the Windows computer. The next time the user signs in to Windows, the last MFA method they used is automatically selected. To choose a different authentication method, the user must click Try another way and select an alternate method to verify their identity.
Desktop Password Autofill
If you have enabled the Desktop Password Autofill option, users can respond to a push notification to sign in to Windows without entering a password.
User requirements
- The Windows computer is online.
- The user is enrolled in Okta Verify and has push notifications enabled.
- The user's Okta Verify account has biometrics enabled.
The Windows computer must be online for password autofill. The user still has a valid password to use if push notifications are unavailable, the computer is offline, or if the password autofill fails.
After Desktop Password Autofill is enabled, the user signs in to the Windows computer with a username (if required) and a password. After a successful authentication, users are quietly enrolled for password autofill. The next time the user signs in to the computer, a push notification is sent to the registered mobile device. Successfully responding to the push notification grants the user access to the computer without entering a password.
If the Windows computer is offline, the user is required to enter a password to sign in, even if the user is enrolled in password autofill.
When a user's password is reset, the user is prompted to enter a password at the next sign in attempt for password autofill to work.
If the SamAccountName (SAM) and UserPrincipalName (UPN) don't match, then at the next sign-in attempt, the system prompts the user to input their password.
Self-service password reset
If you enable the self-service password reset option, users can initiate a password reset if they've forgotten their password. Users must be online to reset their password.
When a user forgets their password, they click the Forgot password? button on the Windows computer. The user is asked to verify their identity with Okta Verify on the user's mobile device. After the user's identity has been verified, they're prompted for a new password. This new password must meet the password requirements. When the password is successfully changed, the user receives a message saying Your password has been changed.
If the Okta username doesn't match either the SamAccountName (SAM) or UserPrincipalName (UPN), self-service password reset isn't available. See Create and configure the Desktop MFA app integration.