Configure Desktop MFA for Windows to use FIDO2 keys

Early Access release

Setting up a FIDO2 (WebAuthn) authenticator allows users to securely sign in to their Windows devices using a security key.

You can register these keys through the Admin Console, or the user can register their key in their Okta End-User Dashboard.

As an alternative, Yubico can deliver the YubiKey directly to new users, already pre-enrolled with the user's data and your org configuration.

PIN support

Desktop MFA for Windows supports FIDO2 security keys with or without a PIN.

If you enable User verification in your authentication policy, users can verify their identity with the FIDO2 key as long as you also enable User verification in FIDO2 (WebAuthn) settings.

To use security keys with PINs, set the User verification to Required in both the FIDO2 (WebAuthn) authenticator settings and in your authentication policy.

See Authentication policies for more information.

Limitations

When configuring FIDO2 security keys for use with Desktop MFA for Windows, be aware of the following limitations:

  • FIDO2 security keys can't be used for offline authentication.

  • FIDO2 passkeys and biometric-only keys aren't supported.

  • FIDO2 platform authenticators aren't supported.

Tasks

Set up the FIDO2 (WebAuthn) authenticator

To enable users to authenticate with a FIDO2 key, set up the FIDO2 (WebAuthn) authenticator in the Admin Console. If you already have the FIDO2 (WebAuthn) authenticator added, you can't add another. Ensure that the settings for the existing FIDO2 (WebAuthn) authenticator are appropriate for your org.

  1. In the Admin Console, go to Security Authenticators.

  2. Click Add authenticator.

  3. From the list of authenticators, click Add under FIDO2 (WebAuthn).

  4. On the General settings page, click Edit.

  5. Under Settings, use the dropdown menu to select a User verification method. Review the content below the setting to learn more about what each user verification type does. Required is recommended if you want the FIDO2 keys to require a PIN for user authentication.

  6. Click Save.

After you set up the FIDO2 (WebAuthn), individually configure your users to use the keys. Users can also complete the registration themselves. See User registers a FIDO2 key

Enable FIDO2 for the Desktop MFA client

Create a PowerShell script and use your MDM to deploy the registry keys to your endpoints. Note the individual storage locations of each registry key.

Value name Description Values Default value

UseDirectAuth

This registry key enables the FIDO2 protocol for Desktop MFA. By default, it's set to 0. Change the setting to 1 to allow users to authenticate with FIDO2 security keys. Don't enable UseDirectAuth if password autofill is enabled.

Store the UseDirectAuth key at HKLM\Software\Okta\Okta Device Access.

REG_DWORD

0

AllowedFactors

A list of factors that users can authenticate with. The AllowedFactors list requires UseDirectAuth to be enabled. If no factors are specified, all factors are allowed. Ensure that the factors listed are spelled correctly.

Store the AllowedFactors key at HKLM\Software\Policies\Okta\Okta Device Access.

Accepted values for AllowedFactors are:

  • OV_Push

  • OV_TOTP

  • Offline_TOTP

  • FIDO2_USB_key

  • Offline_Security_key

Users can be locked out of the computer if there's a mismatch between factors in the AllowedFactors list and the OfflineLoginAllowed and OnlineLoginAllowed registry settings. See Configure registry keys for more information.

REG_MULTI_SZ

*

PasswordlessAccessEnabled

This value enables Desktop Password Autofill, which allows users to sign in to their device securely using non-password factors. This is disabled by default.

Desktop Password Autofill supports Okta Verify Push and FIDO2 keys when these are specified as AllowedFactors.

 REG_DWORD 0

Configure FIDO2 keys

There are several ways that you can prepare a FIDO2 key for your users:

  • Manually configure keys for users in the Admin Console.

  • Have users set up their own FIDO2 keys in the Okta End-User Dashboard.

  • Use the pre-enrolled YubiKey workflow. See Set up YubiKey - Okta flow.

Choose the registration method that works best for your org.

Users must have at least one factor enrolled before attempting to sign in with Desktop MFA.

Register a FIDO2 key on behalf of users

  1. In the Admin Console, go to Directory People.
  2. Click a user to open their profile.
  3. Click More Actions and choose Enroll FIDO2 Security Key from the list.
  4. Insert the FIDO2 key into your computer and click Register.
  5. Follow the prompts until you receive confirmation that the FIDO2 key has been successfully registered to the user.
  6. Give the enrolled FIDO2 key to the appropriate user.

User registers a FIDO2 key

If a user receives a FIDO2 security key, they can register the key using the Okta End-User Dashboard. Encourage your users to set up the security key with the appropriate settings for your org.

  1. Sign in to the Okta End-User Dashboard.
  2. Click your name in the upper-right corner and select Settings.
  3. Under Security Methods, locate Security Key or Biometric Authenticator and click Set up another.
  4. Verify your identity with one of the presented options, and then click Set up.
  5. Follow the prompts to register the FIDO2 key to your Okta account.

After the user successfully registers the security key, they can verify their identity by inserting the FIDO2 key into the Windows device and following the on-screen prompts.

When users enroll the FIDO2 factor, they're limited to the org's URL. For example, if users enroll the FIDO2 factor on your orgname.okta.com URL, the factor only allows access to your org with that same orgname.okta.com URL. If users enroll the FIDO2 factor using the custom URL for your org, the factor only allows access to your org with the custom URL.

Admins must configure Desktop MFA to use the same domain where users have enrolled the FIDO2 authentication factor.

Next steps

Support your users