Okta Desktop MFA for Windows

This is an Early Access feature. To learn how to enable it, see Manage Early Access and Beta features.

The use of Okta’s Desktop MFA for Windows strengthens the security of a user’s
authentication of Windows computers.
This customizable solution is designed to configure the sign- in flow into a Windows workstation.
This secured sign-in flow will prompt a user for multi-factor authentication after the username and password are entered and includes offline sign-in methods that can be used in cases where an internet connection is not available.
The use of Desktop MFA adds a layer of security to company-provided desktop
and laptop computers using Okta MFA factors already used by your employees.

Technical Prerequisites

  • You have an Okta Identity Engine org available.
  • Your OIE org has the Desktop Access SKU enabled.
  • Windows 10 version 1709 or later or Windows 11 is installed on the device.
  • .NET 4.8 or later is installed on the device.
  • Active Directory is configured and the agent is running.
  • Your Windows virtual machine or device is joined to Active Directory.
  • Okta Verify (version 4 and above) is set up in your org.

Create and configure the Desktop MFA app integration

In the Admin Console, go to Settings, Account, Embedded widget sign-in support.

and ensure that the Interaction Code checkbox is selected.

In the Admin Console, go to Applications –> Applications.

Click Browse App Catalog and search for Desktop MFA

Click Add integration.

On the Sign on tab, go to the Settings section and click Edit 
Click the Application username format dropdown menu and select one of the following

On the Assignments tab, assign the app to relevant users or Active Directory (AD) security groups.

On the General tab, go to the Client Credentials section to find the Client ID and
Client secret. The identifier and secret are generated when you create the app integration.
Make note of these values, as you need them when you deploy Desktop MFA for Windows using.

Download Okta Verify for Windows

In the Admin Console, go to Settings, Downloads and download 
Okta Verify for Windows (.exe).

Deploy Desktop MFA for Windows to your endpoints

You can use your MDM solution to deploy the Okta Verify installation file to your Windows endpoints.

OktaVerifySetup–x.x.x.x-yyyyyyy.exe SKU=ALL ORGURL=https://customerorg.oktapreview.com/ CLIENTID=xxxxxxxx CLIENTSECRET=xxxxxxxx

To enable online MFA methods, use these command-line parameters:

  • ORGURL: Okta org URL e.g. https://customerorg.oktapreview.com
  • CLIENTID: This is the client ID that you saved on the Desktop MFA app integration General tab
  • CLIENTSECRET: This is the client secret that you saved on the Desktop MFA app integration General tab

Accept the License Agreement and Click Next, the Installation will start.

Configure Desktop MFA policies

Create a PowerShell script and use your MDM solution to deploy the registry keys to your endpoints. 
The registry key is stored at HKLM\Software\Policies\Okta\Okta Device Access.

Set up Offline One-Time Password Method

Before you beginn you must have an Okta Verify account set up on your mobile device. 
If you don’t have any offline authentication methods set up, enroll at least one method to sign in to Windows when your computer is offline.
Launch Okta Verify on the Windows workstation, and click Device Access:

Now click the the One-time password button

Follow the prompts and use your mobile device to add the one-time password

Demo – Sign in to Windows with
Desktop MFA Online Mode

Now Let’s have a look at how a sign-on to the workstation with Desktop MFA and an
online sign in method is looking like.

Demo – Sign in to Windows with
Desktop MFA Offline Mode

The second demo shows a sign-in method that can be used in cases where the Windows workstation is not connected to the internet.

More information can be also found in the Help Docs: https://help.okta.com/en/programs/oda-win-mfa/Content/Topics/oda/windows-mfa/win-mfa.htm

Leave a Reply