Configure Desktop MFA for Windows to use FIDO2 keys

Early Access release

You can set up a FIDO2 (WebAuthn) authenticator to allow users to securely sign in to their Windows devices using a security key. An admin can register these keys for users or the user can register them in the End-User Dashboard. Yubico can also deliver them directly to new, onboarding users, pre-enrolled with the user's data and your org configuration.

Desktop MFA for Windows supports FIDO2 security keys with or without a PIN. If you enable User Verification in your authentication policy, users can verify their identity with the FIDO2 key as long as you also enable User Verification in FIDO2 (WebAuthn) settings. To use security keys with PINs, set User Verification to Required in the FIDO2 (WebAuthn) authenticator settings and in your authentication policy. See Authentication policies for more information.

When configuring FIDO2 security keys for use with Desktop MFA for Windows, be aware of the following limitations:

  • FIDO2 security keys can't be used for offline authentication.

  • FIDO2 passkeys and bio-only keys aren't supported.

  • FIDO2 security keys can't be used in combination with Desktop Passwordless Login. If your org uses Desktop Passwordless Login, don't enable UseDirectAuth.

  • FIDO2 platform authenticators aren't supported.

Tasks

Set up the FIDO2 (WebAuthn) authenticator

To enable users to authenticate with a FIDO2 key, set up the FIDO2 (WebAuthn) authenticator in the Admin Console. If you already have the FIDO2 (WebAuthn) authenticator added, you can't add another. Ensure that the settings for the existing FIDO2 (WebAuthn) authenticator are appropriate for your org.

  1. In the Admin Console, go to Security Authenticators.

  2. Click Add authenticator.

  3. From the list of authenticators, click Add under FIDO2 (WebAuthn).

  4. On the General settings page, click Edit.

  5. Under Settings, use the dropdown menu to select a User verification method. Review the content below the setting to learn more about what each user verification type does. Required is recommended if you want the FIDO2 keys to require a PIN for user authentication.

  6. Click Save.

After you set up the FIDO2 (WebAuthn), individually configure your users to use the keys. Users can also complete the registration themselves. See User registers a FIDO2 key

Enable FIDO2 for the Desktop MFA client

Create a PowerShell script and use your MDM to deploy the registry keys to your endpoints. Note the individual storage locations of each registry key.

Value name Description Values Default value
UseDirectAuth This registry key enables the FIDO2 protocol for Desktop MFA. By default, it's set to 0. Change the setting to 1 to allow users to authenticate with FIDO2 security keys. Don't enable UseDirectAuth if passwordless access is enabled.

Store the UseDirectAuth key at HKLM\Software\Okta\Okta Device Access.

 REG_DWORD 0
AllowedFactors A list of factors that users can authenticate with. The AllowedFactors list requires UseDirectAuth to be enabled. If no factors are specified, all factors are allowed. Ensure that the factors listed are spelled correctly.

Store the AllowedFactors key at HKLM\Software\Policies\Okta\Okta Device Access.

Accepted values for AllowedFactors are:

  • OV_Push

  • OV_TOTP

  • Offline_TOTP

  • FIDO2_USB_key

  • Offline_Security_key

Note that users can be locked out of the computer if there is a mismatch between factors listed in the AllowedFactors list and the OfflineLoginAllowed and OnlineLoginAllowed registry settings. See Configure registry keys for more information.

REG_MULTI_SZ

*

Configure FIDO2 keys

There are several ways you can prepare a FIDO2 key for your users:

  • Manually configure keys for users in the Admin Console.

  • Have users set up their own FIDO2 keys in the End-User Dashboard.

  • Use the pre-enrolled YubiKey workflow. See Set up YubiKey - Okta flow.

Choose the registration method that works best for your org. Note that users must be enrolled in at least one factor before attempting to sign in with Desktop MFA.

Register a FIDO2 key on behalf of users

  1. In the Admin Console, go to Directory People.
  2. Click a user to open their profile.
  3. Click More Actions and choose Enroll FIDO2 Security Key from the list.
  4. Insert the FIDO2 key into your computer and click Register.
  5. Follow the prompts until you receive confirmation that the FIDO2 key has been successfully registered to the user.
  6. Give the enrolled FIDO2 key to the appropriate user.

User registers a FIDO2 key

If a user receives a FIDO2 security key, they can register the key using the Okta End-User Dashboard. Encourage your users to set up the security key with the appropriate settings for your org.

  1. Sign in to the Okta End-User Dashboard.
  2. Click your name in the upper-right corner and select Settings.
  3. Under Security Methods, locate Security Key or Biometric Authenticator and click Set up another.
  4. Verify your identity with one of the presented options, and then click Set up.
  5. Follow the prompts to register the FIDO2 key to your Okta account.

After the user successfully registers the security key, they can verify their identity by inserting the FIDO2 key into the Windows device and following the prompts on the screen.

When users enroll the FIDO2 factor, they're limited to the org's URL. For example, if users enroll the FIDO2 factor on your orgname.okta.com URL, the factor only allows access to your org with that same orgname.okta.com URL. If users enroll the FIDO2 factor using the custom URL for your org, the factor only allows access to your org with the custom URL.

Admins must configure Desktop MFA to use the same domain where users have enrolled the FIDO2 authentication factor.

Next steps

Support your users