Windows Desktop MFA user experience
Desktop MFA strengthens the security posture of Windows desktop computers by prompting users to verify their identity using multifactor authentication. Users must configure an offline verification method before gaining access to apps and data. This offline verification method enables secure access to the computer when the user is without an internet connection.
Before setup, users must meet these requirements:
-
They must have Okta Verify installed on a mobile device. They can have Okta Verify installed in advance, or install it as part of the Desktop MFA setup.
-
They must have Okta Verify push notifications enabled for their mobile device.
After Desktop MFA has been configured and deployed, review the user setup and sign-in process, prepare communication for the rollout, and review support details.
User setup
-
After booting or waking the computer, the user is prompted to sign in to Windows. At this point, Desktop MFA checks if the user has enrolled an offline authentication method to sign in. If no offline enrollments are found, Desktop MFA prompts the user to add a verification method.
-
If the user selects Skip for now, a message appears with the number of remaining sign-in attempts before they must enroll a verification method to access their device. You can configure this number. See Configure Desktop MFA policies.
-
When the user clicks Add verification or Continue setup, they're asked to set up an offline verification method.
-
The user selects a method of offline verification to enroll: Device access code or Device access key. After clicking Set up, the user is prompted to ensure that Okta Verify is installed. If the user doesn't have Okta Verify installed, they can select the appropriate App Store link to install the software.
-
Device access code: After confirming that Okta Verify is installed, the user clicks Next to reveal a QR code that must be scanned from the Okta Verify app. This adds a Device access code with the Windows device name to Okta Verify that can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method: You can sign in to Windows with "Device access code."
-
Device access key: After confirming that Okta Verify is installed, the user clicks Next. The user is prompted to insert and then tap the YubiKey to validate the device and the user. This adds a Device access key with the Windows device name to Okta Verify that can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method: You can sign in to Windows with "Device access key."
-
User authentication
After waking or booting the computer, the user is asked to enter a username or select a user and then enter a password. They then have to choose an authentication method to validate their identity. If the user has more than one authentication method setup, they can select any method available to them. MFA options are Okta Verify push, Okta Verify one-time password, offline one-time-password, and offline YubiKey. Okta Verify push can only be used with an internet connection.
When the user selects an authentication method, they need to complete the validation request:
-
For Okta Verify push, click Send push. Check the mobile device and confirm the sign-in attempt in the Okta Verify app.
-
For Okta Verify one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the sign-in field, and then click the arrow to proceed.
-
If you enforced number challenge, then all push notifications sent to users for validation are number challenges regardless of your authentication policy. See Enforce number challenge for Desktop MFA.
-
-
For Offline one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the Windows sign-in field and click the arrow to proceed.
-
For Offline YubiKey, insert or tap YubiKey as prompted.
If authentication is successful, the user gains access to the Windows computer. The next time the user signs in to the Windows computer, the last MFA method they used is automatically selected. To choose a different authentication method, the user clicks Try another way and uses the dropdown menu to select an alternate method to verify their identity.
Desktop Passwordless login
If the passwordless login option has been enabled, users can sign in to their Windows computer without entering a password by responding to a push notification.
User requirements
- The Windows computer is online.
- The user is enrolled in Okta Verify and has push notifications enabled.
- The user's Okta Verify account has biometrics enabled.
The Windows computer must be online for passwordless access. The user still has a valid password that can be used when push notifications are unavailable, the computer is offline, or if passwordless sign in fails.
Once passwordless login is enabled, the user signs in to the Windows computer with a username (if required) and a password. After a successful authentication, users are quietly enrolled in passwordless login. The next time the user signs in to the computer, a push notification is sent to the registered mobile device. Successfully responding to the push notification grants the user access to the computer without a need to enter a password.
If the Windows computer is offline, the user is required to enter a password to sign in, even if the user is enrolled in passwordless login.
When a user's password is reset, the user is prompted to enter a password at the next sign in attempt in order for passwordless login to work.
Self-service password reset
If the self-service password reset option has been enabled, users can initiate a password reset if they've forgotten their password. Users must be online to reset their password.
When a user forgets their password, they click the Forgot password? button on the Windows computer. The user is asked to verify their identity with Okta Verify on the user's mobile device. After the user's identity has been verified, they're prompted for a new password on their Windows computer. This new password must meet the password requirements, and is entered twice to confirm the password selection. When the password has been successfully changed, the user receives a message saying "Your password has been changed." Click OK to continue accessing the computer.