Windows Desktop MFA user experience

Desktop MFA strengthens the security posture of Windows desktop computers by prompting users to verify their identity using multifactor authentication. Users must configure an offline verification method before gaining access to apps and data. This offline verification method enables secure access to the computer when the user is without an internet connection.

Before setup, users must meet these requirements:

  • They must have Okta Verify installed on a mobile device. They can have Okta Verify installed in advance, or install it as part of the Desktop MFA setup.

  • They must have Okta Verify push notifications enabled for their mobile device.

After Desktop MFA has been configured and deployed, review the user setup and sign-in process, prepare communication for the rollout, and review support details.

User setup

After booting or waking the computer, the user is prompted to sign in to Windows. At this point, Desktop MFA checks if the user has enrolled an offline authentication method to sign in. If no offline enrollments are found, Desktop MFA prompts the user to add a verification method.

Okta Verify window prompting verification set up

If the user selects Skip for now, a message appears with the number of remaining sign-in attempts before they must enroll a verification method to access their device. You can configure this number. See Configure Windows Desktop MFA policies.

Okta Device Access message displaying number of remaining sign-in attempts before a verification method must be enrolled

When the user clicks Add verification or Continue setup, they're asked to set up an offline verification method:

Okta Device Access window with ways the user can verify their identity

The user selects a method of offline verification to enroll: Device access code or Device access key. After clicking Set up, the user is prompted to ensure Okta Verify is installed. If the user doesn't have Okta Verify installed, they can select the appropriate App Store link to install the software.

  • Device access code: After confirming that Okta Verify is installed, the user clicks Next to reveal a QR code that must be scanned from the Okta Verify app. This adds a Device access code with the Windows device name to Okta Verify that can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method: You can sign in to Windows with "Device access code."

  • Device access key: After confirming that Okta Verify is installed, the user clicks Next. The user is prompted to insert and then tap the YubiKey to validate the device and the user. This adds a Device access key with the Windows device name to Okta Verify that can be used to verify the user when they're offline. The user sees a message confirming the successful addition of the authentication method: You can sign in to Windows with "Device access key."

User authentication

After waking or booting the computer, the user is asked to enter a username or select a user and then enter a password. They then have to choose an authentication method to validate their identity. If the user has more than one authentication method setup, they can select any method available to them. MFA options are Okta Verify push, Okta Verify one-time password, offline one-time-password, and offline YubiKey. Okta Verify push can only be used with an internet connection.

When the user selects an authentication method, they need to complete the validation request:

  • For Okta Verify push, click Send push. Check the mobile device and confirm the sign-in attempt in the Okta Verify app.

  • For Okta Verify one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the sign-in field, and then click the arrow to proceed.

  • For Offline one-time password, open Okta Verify on a mobile device and find the one-time password. Enter the number in the Windows sign-in field and click the arrow to proceed.

  • For Offline YubiKey, insert or tap YubiKey as prompted.

If authentication is successful, the user gains access to the Windows computer. The next time the user signs in to the Windows computer, the last MFA method they used is automatically selected. To choose a different authentication method, the user clicks Try another way and uses the dropdown menu to select an alternate method to verify their identity.

Self-service password reset

If the self-service password reset option has been enabled, users can initiate a password reset if they've forgotten their password. Users must be online to reset their password.

When a user forgets their password, they click the Forgot password? button on the Windows computer. The user is asked to verify their identity with Okta Verify on the user's mobile device. After the user's identity has been verified, they're prompted for a new password on their Windows computer. This new password must meet the password requirements, and is entered twice to confirm the password selection. When the password has been successfully changed, the user receives a message saying "Your password has been changed." Click OK to continue accessing the computer.

Next step

Support your Desktop MFA users