Desktop MFA user experience
Desktop MFA strengthens the security posture of Windows desktop computers by prompting users to verify their identity using multifactor authentication. Users must configure an offline verification method before gaining access to apps and data. This offline verification method enables secure access to the computer when the user is without an internet connection.
Before setup, users must meet these requirements:
-
They must have Okta Verify installed on a mobile device. They can have Okta Verify installed in advance, or install it as part of the Desktop MFA setup.
-
They must have Okta Verify push notifications enabled for their mobile device.
After Desktop MFA has been configured and deployed, review the user setup and sign-in process, prepare communication for the rollout, and review support details.
User setup
-
After booting or waking the computer, the user is prompted to sign in to Windows. At this point, Desktop MFA checks if the user has enrolled an offline authentication method to sign in. If no offline enrollments are found, Desktop MFA prompts the user to add a verification method and displays the remaining sign-in attempts the user has before they're locked out of the computer.
-
The user selects a method of offline verification to enroll: Offline one-time password or Offline YubiKey. After clicking Set up, the user is prompted to ensure that Okta Verify is installed. If the user doesn't have Okta Verify installed, they can select the appropriate App Store link to install the software.
-
Offline one-time password: After confirming that Okta Verify is installed, the user clicks Next to reveal a QR code that must be scanned from the Okta Verify app. The user is asked to enter the offline one-time password shown in Okta Verify. An Offline one-time password account with the Windows device name is added to Okta Verify. This account can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method: You can sign in to Windows with "Offline one-time password".
-
Offline YubiKey: After confirming that Okta Verify is installed, the user clicks Next. The user is prompted to insert and then tap the YubiKey to validate the device and the user. This adds an Offline YubiKey account with the Windows device name to Okta Verify. This account can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method: You can sign in to Windows with "Offline YubiKey".
-
User authentication
After waking or booting the computer, the user is asked to enter a username or select a user and then enter a password. They then have to choose an authentication method to validate their identity. If the user has more than one authentication method setup, they can select any method available to them. MFA options are Okta Verify push, Okta Verify one-time password, offline one-time-password, and offline YubiKey. Okta Verify push can only be used with an internet connection.
When the user selects an authentication method, they need to complete the validation request:
-
For Okta Verify push notification, click Send push. Check the mobile device and confirm the sign-in attempt in the Okta Verify app.
-
For Okta Verify one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the sign-in field, and then click the arrow to proceed.
-
If you enforced number challenge, then all push notifications sent to users for validation are number challenges regardless of your authentication policy. See Enforce number challenge for Desktop MFA.
-
-
For Offline one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the Windows sign-in field and click the arrow to proceed.
-
For Offline YubiKey, insert or tap YubiKey as prompted.
If authentication is successful, the user gains access to the Windows computer. The next time the user signs in to the Windows computer, the last MFA method they used is automatically selected. To choose a different authentication method, the user clicks Try another way and uses the dropdown menu to select an alternate method to verify their identity.
Desktop Passwordless login
If the passwordless login option has been enabled, users can sign in to their Windows computer without entering a password by responding to a push notification.
User requirements
- The Windows computer is online.
- The user is enrolled in Okta Verify and has push notifications enabled.
- The user's Okta Verify account has biometrics enabled.
The Windows computer must be online for passwordless access. The user still has a valid password that can be used when push notifications are unavailable, the computer is offline, or if passwordless sign in fails.
Once passwordless login is enabled, the user signs in to the Windows computer with a username (if required) and a password. After a successful authentication, users are quietly enrolled in passwordless login. The next time the user signs in to the computer, a push notification is sent to the registered mobile device. Successfully responding to the push notification grants the user access to the computer without a need to enter a password.
If the Windows computer is offline, the user is required to enter a password to sign in, even if the user is enrolled in passwordless login.
When a user's password is reset, the user is prompted to enter a password at the next sign in attempt in order for passwordless login to work.
If the SamAccountName (SAM) and UserPrincipalName (UPN) don't match, users are prompted to input their password again at next sign-in, after which passwordless access resumes.
Self-service password reset
If the self-service password reset option has been enabled, users can initiate a password reset if they've forgotten their password. Users must be online to reset their password.
When a user forgets their password, they click the Forgot password? button on the Windows computer. The user is asked to verify their identity with Okta Verify on the user's mobile device. After the user's identity has been verified, they're prompted for a new password on their Windows computer. This new password must meet the password requirements, and is entered twice to confirm the password selection. When the password has been successfully changed, the user receives a message saying "Your password has been changed." Click OK to continue accessing the computer.
If the Okta username doesn't match either the SamAccountName (SAM) or UserPrincipalName (UPN), self-service password reset isn't available. See Create and configure the Desktop MFA app integration for more information.