Configure Desktop MFA app integration for Windows

Desktop MFA for Windows adds a layer of security to the Windows sign-in process by asking users for extra authentication before allowing computer access. When Desktop MFA for Windows is configured and deployed, users are prompted to set up one or more authentication methods to verify their identity. Users must set up at least one authentication method within the configurable sign-in limit. If the user goes over the limit, they're locked out of the computer and require admin intervention to regain access.

Configure Desktop MFA in the Admin Console, and then deploy it through your Mobile Device Management (MDM) solution. This pushes a single, packaged installer to desktop computers. The user experience depends on which options you enable and how the Okta org's authentication policies are configured. Desktop MFA supports the following authenticators:

  • Online: Okta Verify push, Okta Verify one-time password

  • Offline: Okta Verify one-time password, YubiKey versions 5.0 and up and with OATH support.

Before you begin

Ensure that you meet these requirements:

  • Your Okta Identity Engine org is available.

  • Active Directory or Azure Active Directory is configured.

  • Your Windows virtual machine or device is joined to Active Directory or Azure Active Directory.

  • The Okta Verify authenticator is set up in your org.

  • Okta Verify push notifications are enabled.

  • Users have Okta Verify installed on a mobile device.

  • Any MDM solution, such as Group Policy or SCCM, is set up and available.

  • Windows 10 version 1709 or later or Windows 11 is installed on the endpoints.

  • .NET 4.8 is installed.

If you use YubiKey, it must be series 5 or greater with OATH support. YubiKey Bio isn't supported.

If you use Windows Server, it must be version 2019 or newer. YubiKey isn't supported for offline authentication with Windows Server.

Before creating and configuring the Desktop MFA application, be aware of the following:

  • YubiKey isn't supported for offline authentication with Windows Server.

  • After installation, users may see two instances of Okta Verify in the Installed Programs list.

  • It's not possible to downgrade Okta Verify.

Tasks

Create and configure the Desktop MFA app integration

  1. Sign in to your Okta tenant as a super admin.

  2. In the Admin Console, go to SettingsAccountEmbedded widget sign-in support and ensure that the Interaction Code checkbox is selected.

  3. In the Admin Console, go to ApplicationsApplications.

  4. Click Browse App Catalog and search for Desktop MFA.

  5. Click Add integration.

    If you get an error message saying This feature isn’t enabled, contact your account representative.

  6. On the General Settings page, edit the application label or click Done to accept the default value. The Okta Verify integration app is created.

  7. Click the app to configure it:

    1. On the Sign on tab, go to the Settings section and click Edit. Click the Application username format dropdown menu and select one of the following formats appropriate for your organization. The formats available in the dropdown menu are based on the configuration of your org.

      • AD employee ID

      • AD SAM account name

      • AD SAM account name + domain

      • AD user principal name prefix

      • Custom

      • Email

      • Email prefix

      • Okta

      • Okta username prefix

      The Application username format is the username used to sign in to the device. Having a designated username format allows Okta Verify to ensure that the user signing in is prompted for the correct factors. For example, if your org is configured with Active Directory, users sign in with domain\username or username@domain.

      If the username is the same as what is already used in Okta, it's recommend that you use Okta username prefix. Otherwise, use AD SAM account name or AD user principal name prefix, noting that AD user principal name prefix only works if the UPN prefix matches the SAM account name.

      If your environment is Azure-joined, users typically sign in with their UPN (user principal name). This can be formatted as AzureAD\user@domain.com or user@domain.com. Okta recommends using Okta username prefix for Azure Active Directory.

      If your environment is a mix of Azure Active Directory and Active Directory joined devices, you must create a separate Desktop MFA instance to handle different username formats. Hybrid environments aren't currently supported.

    2. On the Assignments tab, assign the app to relevant users or security groups.

    3. On the General tab, go to the Client Credentials section to find the client ID and secret. The identifier and secret are generated when you create the app integration. Make note of these values, as you need them when you deploy Desktop MFA for Windows using your MDM solution.

  8. Click Save.

When the Desktop MFA app is integrated, a Desktop MFA authentication policy is added to your org. This policy verifies that users who try to sign in with Desktop MFA meet specific conditions, and enforces factor requirements based on those conditions. The Desktop MFA authentication policy shouldn't be modified for any reason. If necessary, you can create a separate authentication policy to meet the needs of your org. See Authentication policies.

Download Okta Verify for Windows

Desktop MFA is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go to Settings Downloads and download Okta Verify for Windows (.exe). You must download the Okta Verify package from the Admin Console and not from an App Store. If the Okta Device Access product has been enabled for your organization, Desktop MFA can be configured and deployed. Contact your account representative for more information.

Next steps

Deploy Desktop MFA for Windows to your endpoints

Configure Windows Desktop MFA policies

Enable self-service password reset