Desktop MFA for Windows

Okta Desktop MFA for Windows adds a layer of security to the Windows sign-in process. It ensures that a user must prove their identity with additional factors to access their physical or virtual Windows machines.

After you configure Desktop MFA in the Admin Console, you can deploy it through your Mobile Device Management (MDM) solution. This pushes a single, packaged installer to desktop computers. The user experience depends on which options you enable and how you configure your org authentication policies.

Desktop MFA supports the following authenticators:

• Online: Okta Verify Push, Okta Verify TOTP (Time-based One-Time Password), or a FIDO2 security key.

• Offline: Okta Verify TOTP or an OATH-compliant security key.

Additional Desktop MFA for Windows features:

• Desktop Password Autofill: users can authenticate and gain access to their Windows systems through a passwordless experience. Users authenticate through a response to a push notification on a registered mobile device or with a FIDO2 security key.

• Self-Service Password Reset: users can initiate a password reset directly from the Windows sign-in screen. This feature helps prevent lockouts and reduces the burden on IT help desks.

Before you begin

Ensure that you meet these requirements:

• Active Directory or Microsoft Entra ID is configured.

• Any Windows virtual machine or device is joined to Active Directory or Microsoft Entra ID. Remote Desktop Protocol (RDP) access isn't supported.

• The Okta Verify authenticator is set up in your org.

• Push notifications for Okta Verify are enabled.

• Users have Okta Verify installed on a mobile device.

• Any MDM solution, such as Group Policy or SCCM, is set up and available.

• Windows 10 version 1709 or later or Windows 11 is installed on the endpoints.

• .NET 4.8 is installed.

• For security reasons, Okta doesn't allow inspection or modification of traffic between Okta Verify and its endpoints. If you use an SSL proxy, exclude your organization's default Okta domains from inspection. Typically Okta domains are *.okta.com or *.oktapreview.com. For a complete list of Okta domains, see Allow access to Okta IP addresses.

Tasks

The tasks for Desktop MFA are divided into two sections. First you set up and configure the Desktop MFA app on the admin side. Then you can customize the user sign-in experience.

Set up Desktop MFA

• Create and configure the Desktop MFA app for Windows

• Download Okta Verify for Windows

• Deploy Desktop MFA to your Windows endpoints

• Configure and deploy Desktop MFA policies for Windows

Configure user experience

• Optional. Enable self-service password reset for Windows

• Optional. Enforce number challenge for Desktop MFA for Windows

• Optional. Configure Desktop MFA for Windows to use FIDO2 keys

• Optional. Configure Desktop Password Autofill for Windows

• Optional. Enable Desktop MFA recovery for Windows