Enable Desktop MFA recovery for Windows

Early Access release

When a user can't sign in to their computer because they don't have access to either their Okta Verify-enrolled MFA device or another authenticator, they need admin assistance to regain access. With Desktop MFA recovery enabled, Windows users can contact an IT administrator for a time-limited device recovery PIN that grants temporary access to their computer.

After the user regains access to their computer, they can use the recovery PIN for the duration set by the admin. The user should recover the Okta Verify-enrolled MFA device or register a new MFA device as soon as possible to maintain secure access to their computer.

Before you begin

• Configure Device Access certificates before setting up Desktop MFA recovery.

• The user's computer must have been online at least once after installing the Okta Verify app and Device Access certificates on the system.

• The user must have tried to sign in to the system at least once after the device is online and registered.

• If the user doesn't sign in within the time period defined using the DeviceRecoveryValidityInDays policy parameter, the system automatically regenerates the recovery secret.

• Super admins, help desk admins, and org admins must have the appropriate permissions to create or view a recovery PIN. See Standard administrator roles and permissions.

• If you're using a custom admin role, this requires the Generate device recovery PIN permission. See Role permissions. To activate this permission, go to Settings Features in the Admin Console, and enable these features: Enable custom admin roles for Okta Device Access permissions and Enable custom admin roles for device permissions.

Enable Desktop MFA recovery

After you enable Desktop MFA recovery, admins with the appropriate permissions can generate a recovery PIN that they can share with the user. If the user doesn't enter the correct recovery PIN within the two-minute time limit, the PIN expires and a new one must be generated.

Configuring Desktop MFA recovery for Windows requires you to enable a security setting in the Admin Console.

1. In the Admin Console, go to SecurityGeneral.

2. Scroll to the Okta Device Access section.

3. Click Edit. Super admin access is required to enable the feature. If you don't see the Edit button, check the access level for your admin account.

4. For Enable Device Recovery PIN for Desktop MFA, select Enabled from the dropdown menu.

5. Click Save.

Configure Desktop MFA recovery policy parameters

Add the following parameters to your device policy configuration:

• DeviceRecoveryPINDuration: The time period, in minutes, that a device recovery PIN is valid after activation. See DeviceRecoveryPINDuration.

• DeviceRecoveryValidityInDays: The length of the device recovery window for Desktop MFA. See DeviceRecoveryValidityInDays

After Desktop MFA recovery is enabled in your org, use your MDM to push the configuration to devices.

Use the device recovery PIN

With Desktop MFA recovery enabled on their device, users can contact their administrator for the device recovery PIN.

1. When the user contacts your organization's IT department, the IT administrator must manually verify the user's identity in accordance with your company's policies.

2. Have the user provide the model, make, and serial number of the computer they're unable to access. This information confirms that the device is associated with the appropriate account. Users receive a Contact your administrator prompt.

3. After validating the user's identity and device Windows, open the Admin Console, and go to Directory Devices. You can also access the user's computer information from Directory People User Devices.

4. Locate the user's computer using the serial number, computer name, or the user's name, and then click the device to open detailed information.

5. In the Device Recovery column, click View Recovery PIN. A message appears with the user's name and a warning about the implications of generating a device recovery PIN. After reviewing the warning, click Generate device recovery PIN. The PIN is valid for two minutes.

6. Share the PIN with the user, and remind them that they have two minutes to enter the PIN before it expires. Confirm that the user is able to sign in to their computer with the PIN.

   After the user successfully gains access to their computer, the PIN is valid for the duration configured with your MDM and the DeviceRecoveryPINDuration setting. Share the duration with the IT department.

   If the PIN doesn't work, regenerate it as it could have expired. See Configure access policies

7. Optional. If the user no longer has their Okta Verify-enrolled MFA device, click Reset authenticators to update their authenticator configuration. This allows the user to enroll a new device for MFA.

8. Advise the user to recover the Okta Verify-enrolled MFA device or register a new MFA device before the PIN expires. If the PIN expires, the user must contact the IT department to receive a new device recovery PIN, which starts the DeviceRecoveryPINDuration timer again.

Known Limitations

• If you delete a previously registered Windows computer from the Devices inventory in your org, you can't enable Desktop MFA recovery on the system. This scenario requires you to reinstall Okta Verify on the Windows computer to return it to the device inventory, after which you can enroll it in Desktop MFA.

• If a user is locked out of their system because they haven't enrolled an offline factor, the Desktop MFA recovery button doesn't appear on the sign-in screen. To briefly grant the user access, increase the MaxLoginsWithOfflineFactor registry key and redeploy the policy.

Related topics

Enable Desktop MFA recovery for macOS

Get started with Desktop MFA for Windows

Support your users

Windows Desktop MFA user experience