Offline biometric authentication for Windows

You can use Okta Device Access to sign in to a Windows computer when it isn't connected to the internet. Configure offline biometric factors so your users can sign in with the built-in Windows Hello biometrics (such as fingerprint or facial recognition). This provides a secure, passwordless experience that doesn't require a connection to Okta.

Benefits

Enhanced security

Uses the device's built-in Trusted Platform Module (TPM) chip to store and verify biometric credentials.

Full offline access

Enables secure access to devices in environments without internet connectivity or where authenticator devices are restricted.

User experience

Provides a fast, low-friction, and passwordless sign-in experience.

How it works

When you enable this feature, the Okta Verify app on your user's Windows device integrates with the local Windows Hello framework. During enrollment, biometric data is registered and stored securely on their device's Trusted Platform Module (TPM) chip. This process doesn't send biometric data to Okta; it remains on their local device.

If your user needs to sign in to their device while offline, Okta Device Access uses the locally stored biometric information to verify their identity. The entire authentication process happens on their device without needing to contact Okta.

Get started

Configure offline biometrics for Windows

Offline biometrics user experience

Offline biometrics troubleshooting