Device-Bound Single Sign-On

Early Access release. See Enable self-service features.

Device-Bound Single Sign-On is an Okta Device Access feature that allows you to create a hardware-protected identity session that binds a user's authentication to a specific device.

By cryptographically binding the session to the device hardware, you prevent session hijacking and cookie theft. The phishing-resistant session is shared across all browsers and platform-specific apps on the device, significantly reducing the number of MFA prompts your users receive.

How it works

Device-Bound Single Sign-On relies on the Okta-joined device state. A device becomes Okta-joined when it registers in the Universal Directory through a Device Access SCEP certificate and links the operating system profile to a primary Okta user.

When a user authenticates on a Okta-joined device, Okta creates a device session using a hardware-backed key stored in the device's secure hardware:

Windows: Trusted Platform Module (TPM)
macOS: Secure Enclave

Session creation

Exactly when the hardware-bound session is established depends on the operating system:

Windows: The session starts when the user signs in to Windows using Desktop MFA with an online factor. Alternatively, if the user signs in using an offline factor, the session starts after the first successful authentication to an Okta-protected app.
macOS: Unlocking or signing into the device doesn't create the device session. The session starts when the user performs an online authentication in a browser.

Security and validation

Unlike standard browser cookies, the Device-Bound SSO session is strictly tied to the device hardware.

When a user attempts to access an Okta-protected app, Okta evaluates the device session against your app sign-on policy.

If the factors provided in the device session meet the assurance requirements defined in the app sign-in policy, then Okta grants the user seamless access.

Device-bound session duration

The device-bound session remains active until the user signs out of the device or an admin performs one of the following actions:

Suspend, deactivate, or delete the user. See Deactivate and delete user accounts.
Suspend, deactivate, or delete the device. See Device lifecycle.
Clear the user's Okta sessions. See Revoke all user sessions.

The device-bound session remains active when the user locks the device and resumes when they unlock the device.

Next steps

Configure Device-Bound SSO for macOS

Configure Device-Bound SSO for Windows