April 2024: This is an Early Access Feature!
Introduction
Since the initial release of Okta Device Access for Windows, many exciting new features such as Self-service password reset or number challenge have been developed and released.
Now we are announcing the next exciting one of Okta Device Access the
Passwordless login for Windows endpoints!
If the passwordless login option has been enabled, users can sign in to their
Windows devices without entering a password by responding to a push notification.
The Windows device must be online for passwordless access.
The user still has a valid password that can be used when push notifications are unavailable.
If the Windows device is offline, the user is required to enter a password to sign in, even if the user is enrolled in passwordless login.
Prerequisites
- Okta Identity Engine Tenant (OIE)
- Okta Device Access Desktop MFA for Windows configured
A step-by-step guide can be found here - Okta Verify deployed on endpoints
- Desktop MFA policies configured
- Users have Okta Verify installed on their mobile devices with biometrics enabled
- User verification with biometrics configured for Okta Device Access Desktop MFA
- Windows devices (AD or AAD joined) must be online
Update / deploy the Okta Verify Application
You can use e.g. your Mobile Device Management solution (MDM) to deploy or update the Okta Verify package that you’ve downloaded from the Admin Console to your
Windows endpoints.
In this blog I will show you how, to manually update the Okta Verify application using the Windows command-line option.
Use this command-line parameters with your own settings:OktaVerifySetup--x.x.x.x-yyyyyyy.exe SKU=ALL ORGURL=https://customerorg.okta.com/ CLIENTID=xxxxxxxx CLIENTSECRET=xxxxxxxx
Replace CLIENTID and CLIENTSECRET with the values found in the Desktop MFA app > Sign on tab in your Okta Tenant.
The setup starts, notices that an existing Okta Verify version is already installed and performs the upgrade.
You should see the upgrade progress.
If the upgrade went through without errors, you should see the following screen just press the Finish button and you are good to go.
Desktop MFA Policies
After the Okta Verify application was installed or updated, we need to adjust/configure the
Desktop MFA policies for the Passwordless feature.
Navigate to the following path HKLM\Software\Policies\Okta\Okta Device Access in the registry on your device.
add the the following registry key parameter
| PasswordlessAccessEnabled | Allow users to use the Passwordless login option | REG_DWORD | 1 |
and set the value to 1 to enable a Passwordless login option.
The complete Desktop MFA policy documentation can be found here.
User Verification with biometrics
Currently, Passwordless is only supported for Okta Verify Push, and we should enable
User Verification with Biometrics.
In this blog I will briefly show, how to enable User Verification in the Okta Verify Options and within the Authentication Policy.
Examine the examples to establish the anticipated conduct for user authentication and choose the method that best fits the requirements of your organization.
Furthermore, if Biometric User Verification is turned off in both your Authentication Policies and Okta Verify settings, users can log in to the desktop computer using only one form of authentication, which is not advised.
Okta Verify options: User Verification Required with biometrics only
To enable User Verification in the Okta Verify Options navigate to Security –> Authenticators.
On the Okta Verify line, click Actions –> Edit
Scroll down to the User verification section, select the Required with biometrics only and Save your settings.
Authentication Policy: User Verification with Biometrics
The other option is to enable User Verification on the Desktop MFA Authentication Policy.
To do this, navigate to Security –> Authentication Policies
Within the Policies section open the Desktop MFA policy
and edit the Catch-all Rule
Enable the Require PIN or biometric user verification option and Save the policy.
Demo Passwordless Login
Once Desktop Passwordless Login is activated, users need to initially log in to their Windows computer using their password to confirm their identity.
Afterward, they can access their Windows computer without typing in a password by simply responding to a push notification.
Now, let’s take pleasure in this brief demonstration showcasing a Passwordless login using Okta Device Access on a Windows device.
Demo Passwordless Multi-User
In the subsequent demonstration, you’ll observe that Passwordless authentication functions seamlessly across multiple users sharing the same Windows device.
One thought on “Okta Device Access Windows Passwordless login”