Okta Verify for Windows

You can download the Okta Verify package for Windows from the Okta Admin Console (SettingsDownloads).

Current release

Version: 6.6.2

Preview deployment: January 20, 2026

Release summary

This release includes internal fixes and minor usability improvements.

Device-Bound Single Sign-On in Early Access

Device-Bound SSO initiates a hardware-protected session for seamless access to apps after users sign in to Okta-joined macOS and Windows devices. This self-service Early Access feature provides session replay protection and a streamlined authentication experience. See Device-Bound Single Sign-On.

Visual passcode requirements and pattern restrictions

The user interface now displays passcode requirements and indicates when users meet them. To improve security, simple patterns are restricted when users set or change a passcode.

Previous releases

Version: 6.5.1

Production deployment: January 5, 2026

Release summary

  • Users who enabled Windows Hello on their device didn't see the Windows Hello confirmation option in Okta Verify if the app was already running. (OKTA-954140)

  • This release also includes internal fixes and minor usability improvements.

Version: 6.4.0

Production deployment: December 3, 2025

Release summary

  • This release improves the way screen readers interact with static text within the Okta Verify app. This change provides a better experience for users who rely on accessibility tools.

  • On systems where Windows Hello wasn't available (such as a virtual machine), the Okta Verify app only displayed the Passcode confirmation toggle when user verification was set to Windows Hello. (OKTA-720210)

  • After a user rebooted their Windows system, they were prompted for a password during sign-in attempts, even when passwordless authentication was the active multifactor policy. (OKTA-1010475)

  • On Windows, some Okta Verify users without complete org information on their local device couldn't see their account or enable user verification. Also the device couldn't publish an asynchronous signal for Identity Threat Protection. (OKTA-1024030)

  • When both the UseDirectAuth and PasswordlessAccessEnabled policies were enabled for use with FIDO2 keys, users who hadn't already signed in received two push notifications during their initial sign-in attempt. (OKTA-1011119)

  • Users on domain-joined remote machines experienced significant sign-in delays when attempting to use a passwordless flow with Okta Device Access. (OKTA-1012063)

  • This release also includes internal improvements and fixes.

Version: 6.3.2

Production deployment: November 3, 2025

Release summary

  • Icons have been updated to follow the established pattern of using triangles for warnings and circles for errors. (OKTA-925184)

  • For orgs where offline factors weren't allowed (OfflineLoginAllowed = 0) and the maximum number of sign-in attempts without an enrolled factor (MaxLoginsWithoutEnrolledFactors) was also set to 0, sign-in attempts from users with an enrolled online factor were unexpectedly blocked. (OKTA-829794)

  • This release also includes internal improvements and fixes.

Version: 6.2.1

Production deployment: September 29, 2025

Release summary

  • Credential provider data wasn't translated on the Spanish Desktop MFA sign-in page. (OKTA-668358)

  • With the UseDirectAuth policy enabled, the registry value that counts sign-in attempts without an enrolled factor didn't increase, even when the user lacked online factors. (OKTA-837524)

  • Device signals incorrectly indicated changes due to a device's locked status. This triggered inaccurate events in Identity Threat Protection. (OKTA-893673)

  • Device Access requests for a password reset failed due to incomplete pre-population of the previous password field. (OKTA-972023)

  • For some Device Access users, the password reset flow failed when the UseDirectAuth policy was enabled. (OKTA-993170)

Version: 6.1.1

Production deployment: August 26, 2025

Release summary

  • This release enhances the Desktop MFA feature on Windows to include an admin-assisted recovery path.

    If a user is locked out of their Windows device, an admin can now issue a time-based recovery PIN. This grants the user temporary access to their computer without needing their primary MFA device, enabling them to resolve their authenticator issue and sign in successfully.

    See Enable Desktop MFA recovery for Windows.

  • When the UseDirectAuth and PasswordlessAccessEnabled policies were both enabled for use with FIDO2 keys, new users who hadn't already signed in received three push notifications during their initial sign-in attempt. (OKTA-976811)

  • Users sometimes saw a login failed response instead of successful login when they canceled a FIDO2 assertion and immediately started a new one. (OKTA-838071)

  • In certain cases, a user could be prevented from signing in if they had no online or offline factors enrolled, even if the MaxLoginsWithoutEnrolledFactors policy maximum wasn't reached. (OKTA-837497)

Version: 6.0.0

Production deployment: August 5, 2025

Release summary

  • This release includes internal improvements and fixes.

  • Okta Verify crashed after a user signed into Windows on a Citrix VDI environment and launched the app. (OKTA-939226)

Version: 5.12.1

Production deployment: July 15, 2025

Release summary

  • This release includes internal improvements and fixes.

Version: 5.10.1

Production deployment: July 1, 2025

Release summary

  • The FIDO2 Password Autofill feature enables users to sign in to their desktop with DMFA without a password. See Configure Desktop MFA for Windows to use FIDO2 keys.

  • This release includes usability fixes and updates the copyright dates.

  • Sometimes, the Okta Verify client for Windows didn't open after it was installed or upgraded. (OKTA-911017)

  • The Okta Verify set up command didn't accept multiple configuration values for the DeviceHealthOptions parameter. (OKTA-940008)

  • Some orgs saw errors when enabling user verification or changing Windows Hello verification settings for existing enrollments. Also, the custom logo didn't appear. As a result, affected users need to re-enroll in Okta Verify to address these errors. (OKTA-756034)

Version: 5.9.1

Production deployment: June 3, 2025

Release summary

  • This release adds Basque language localization.

  • This release is signed using a new code signing certificate.

  • For a hybrid Microsoft Entra ID joined device, Desktop MFA failed to sign the user in if they entered an incorrect username, even after correcting the error. (OKTA-900913)

  • If offline sign-in flows weren't allowed, Windows users were blocked by Desktop MFA on their first sign-in attempt. (OKTA-844621)

  • Users were unable to sign in on Windows if they weren't in the user cache and passwordless was enabled. (OKTA-839592)

  • When a user tried to sign in with a Universal Principal Name (UPN) on a hybrid Active Directory, authentication failed if passwordless was enabled and there was no user cache. (OKTA-839426)

  • The text color used for error messages in the Change passcode dialog was difficult to read when using dark mode. (OKTA-827692)

Version: 5.8.1

Production deployment: May 12, 2025

Release summary

  • This release includes accessibility improvements and localization updates.

  • The signing certificate has been renewed for the Windows PowerShell scripts used by the installer. Attach the renewed certificate using the instructions in the Windows Okta Verify: PowerShell Scripts knowledge base article.

  • For devices that were only joined to Microsoft Entra, Okta Verify didn't retrieve the device's security identifier. This issue didn't occur for hybrid joined devices. (OKTA-724954)

  • Users weren't able to validate MFA through FIDO2, Okta Verify Push, or TOTP authentication if the OrgURL contained a trailing slash character or uppercase letters. (OKTA-897324)

Version: 5.6.6

Production deployment: April 14, 2025

Release summary

  • This release includes internal improvements and fixes.

Version: 5.6.5

Production deployment: April 7, 2025

Release summary

  • This release includes permission improvements for Okta Device Access authentication.
  • This release includes accessibility fixes.
  • This release includes security improvements for the Okta Verify installer.
  • The app crashed during startup or didn't initialize successfully. (OKTA-537663)
  • The CrowdStrike plugin wasn't created during Okta Verify 5.1.3 installation because the EnableZTAPlugin=True option was case-sensitive. (OKTA-806465)
  • Okta Verify failed to launch for some users. (OKTA-842723)

Version: 5.5.5

Production deployment: February 13, 2025

Release summary

  • Desktop MFA with FIDO2 Security Keys enables users to sign in to their devices with FIDO2 security keys. To configure this feature, see Configure Desktop MFA for Windows to use FIDO2 keys. This release also includes an integration with SpecOps Self Service Password Reset, which enables users to reset their passwords from the sign-in page.
  • V2 Telemetry framework added to Okta Verify and Okta Device Access. (OKTA-851364)

Release notes retention policy

Okta maintains release notes online for a period of 12 months following a release.

Contact Okta Support to request archived documentation for releases outside this window.