Configure Desktop MFA for Windows

Early Access release. See Manage Early Access and Beta features.

Desktop MFA for Windows adds a layer of security to the Windows sign-in process by asking users for extra authentication before allowing computer access. When Desktop MFA for Windows is configured and deployed, users are prompted to set up one or more authentication methods to verify their identity. Users must set up at least one authentication method within the configurable sign-in limit. If the user goes over the limit, they're locked out of the computer and require admin intervention to regain access.

Configure Desktop MFA in the Okta Admin Console, and then deploy it through your Mobile Device Management (MDM) solution. This pushes a single, packaged installer to desktop computers. The user experience depends on which options you enable and how the Okta org's authentication policies are configured.


Ensure that you meet these requirements:

  • Your Okta Identity Engine org is available.

  • Active Directory or Azure Active Directory is configured.

  • Your Windows virtual machine or device is joined to Active Directory or Azure Active Directory.

  • The Okta Verify authenticator is set up in your org.

  • Okta Verify push notifications are enabled.

  • Users have Okta Verify installed on a mobile device.

  • Any MDM solution, such as Group Policy or SCCM, is set up and available.

  • Windows 10 version 1709 or later or Windows 11 is installed on the endpoints.

  • .NET 4.8 is installed.

If you use YubiKey, it must be series 5 or greater with OATH support. YubiKey Bio isn't supported.

If you use Windows Server, it must be version 2019 or newer. Note that YubiKey isn't supported for offline authentication with Windows Server.


Create and configure the Desktop MFA app integration

  1. In the Admin Console, go to SettingsAccountEmbedded widget sign-in support and ensure that the Interaction Code checkbox is selected.

  2. In the Admin Console, go to ApplicationsApplications.

  3. Click Browse App Catalog and search for Desktop MFA.

  4. Click Add integration.

    If you get an error message saying This feature isn’t enabled, contact your account representative.

  5. On the General Settings page, edit the application label or click Done to accept the default value. The Okta Verify integration app is created.

  6. Click the app to configure it:

    1. On the Sign on tab, go to the Settings section and click Edit. Click the Application username format dropdown menu and select one of the following formats:

      • AD employee ID

      • AD SAM account name

      • AD SAM account name + domain

      • AD user principal name prefix

      • Custom

      • Email

      • Email prefix

      • Okta

      • Okta username prefix

    2. On the Assignments tab, assign the app to relevant users or security groups.

    3. On the General tab, go to the Client Credentials section to find the client ID and secret. The identifier and secret are generated when you create the app integration. Make note of these values, as you need them when you deploy Desktop MFA for Windows using your MDM solution.

  7. Click Save.

Download Okta Verify for Windows

Desktop MFA is part of Okta Device Access, which uses Okta Verify for device registration and user authentication. In the Admin Console, go to Settings Downloads and download Okta Verify for Windows (.exe). If the Okta Device Access product has been enabled for your organization, Desktop MFA can be configured and deployed. Contact your account representative for more information.

Next steps

Deploy Desktop MFA for Windows to your endpoints

Configure Desktop MFA policies