Configure Desktop Password Autofill for Windows

You can use Desktop Password Autofill to configure a passwordless sign-in experience for your users.

When you enable this feature, end users sign in to their Windows computer with their password and a factor challenge to verify their identity. After the initial verification, they can then sign in to their Windows computer without a password. Instead, they authenticate by responding to an Okta Verify Push notification or by using their FIDO2 key.

If the Windows computer is offline, or if the password autofill fails for any reason, the user can still enter their password to sign in.

Enable Desktop Password Autofill

To enable the Desktop Password Autofill feature, set the PasswordlessAccessEnabled registry value to 1.

The feature is disabled by default.

User verification with Okta Verify Push

To use Desktop Password Autofill with Okta Verify Push, enable User Verification with Biometrics in your Okta Verify authentication policy. See Configure Okta Verify options.

If your authentication policy has user verification disabled, don't enable Desktop Password Autofill, as users may not have biometrics enabled on their mobile devices. Without biometrics enabled, users are locked out of the computer because they can't use an online factor to authenticate.

If users don't have biometrics enabled for Okta Verify on their mobile device, configure your org policies to block these users from using password autofill flows with Okta Verify and Desktop MFA.

Also, if User Verification with Biometrics is disabled in both your authentication policy and your Okta Verify options, users can sign in to the desktop computer with single factor authentication, which isn't a recommended flow.

User Verification with FIDO2 key

To use Desktop Password Autofill with a FIDO2 key, you must enable FIDO2 on your Windows computers and those FIDO2 keys must have a PIN assigned. See Configure Desktop MFA for Windows to use FIDO2 keys.

If the key doesn't have a PIN assigned and the FIDO2 authenticator setting for User verification is set to Discouraged, the sign-in screen prompts the user for a password and their FIDO2 key. Otherwise, the user always uses their key PIN for Desktop Password Autofill.