Okta Device Access – FIDO2 security keys for Windows

Access Management, Device Access, Device Integrations, Integrations, MFA, Workforce Identity Products 7 Minutes

January 2025: This is an Early Access release

Introduction

When integrating Okta Device Access with FIDO2 security keys for Windows environments, the process enables robust multi-factor authentication (MFA) for user devices, enhancing overall security. By leveraging FIDO2 security keys such as YubiKeys, organizations can streamline authentication and ensure users are protected against credential-based attacks.

The integration involves setting up FIDO2 security keys as the authentication mechanism for Windows devices, ensuring users authenticate seamlessly with a combination of Okta Device Access and Desktop MFA settings. This process strengthens the security posture by enforcing physical authentication methods in addition to traditional password mechanisms.

For a smooth experience, it’s important to ensure that the required software is installed, including Okta Device Access for Windows, which allows devices to securely store and manage FIDO2 credentials.

By utilizing FIDO2 security keys, organizations can significantly reduce the risk of unauthorized access, mitigate phishing attempts, and deliver an intuitive user experience on Windows devices. This solution is part of a comprehensive security strategy that blends modern identity management practices with seamless device authentication.

Requirements

To successfully implement Okta Device Access FIDO2 for Windows, there are several critical requirements that need to be in place.
These requirements ensure that the authentication process is secure, streamlined, and effective, offering an easy-to-use yet robust solution for enterprise environments.
Below are the essential components required for a smooth implementation

  • Okta Device Access (ODA) must be configured and enabled within the Okta Admin Console, you can find instructions in this blog or on the help page.
  • The Okta Verify app (5.5.4 (Early Access) should be deployed on the windows devices.
  • Ensure that you are using compatible FIDO2 security keys, such as YubiKeys or other similar hardware.
  • Windows devices should be running Windows 10 or a later version, as FIDO2 security keys are supported natively on these operating systems.

In this blog post, I will be demonstrating various use cases using different models of YubiKeys for the demos and screenshots.

Activating FIDO2 Support for the Desktop MFA

To enable FIDO2 support for Desktop MFA, it’s necessary to deploy a specific registry key to your endpoints. The registry key must be configured appropriately across all systems where you intend to enforce FIDO2 authentication as part of the desktop multi-factor authentication (MFA) setup.

Here’s a quick overview of how to configure this:
Registry Key Setup:
The FIDO2 registry key needs to be added under the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Okta\OktaDeviceAccess.

The specific value to be added is:
UseDirectAuth
Set the value to 1 to enable FIDO2 support.

Use your organization’s endpoint management tool to deploy the registry key to the target machines.
Ensure all endpoints are updated to ensure seamless authentication.

Set up the FIDO2 (WebAuthn) authenticator

To configure the FIDO2 (WebAuthn) authenticator in Okta, follow these steps:

Select the FIDO2 (WebAuthn) Authenticator:
In the Authenticators section of the Okta Admin Console, locate FIDO2 (WebAuthn) in the list of available authenticators.

Add the Authenticator

Click Add under the FIDO2 (WebAuthn) option.
In the pop-up window, review the configuration options and click Add Authenticator
to finalize the setup.

Once added, users can authenticate securely using FIDO2-compliant devices, providing a modern, phishing-resistant authentication method for improved security and user convenience.

To configure user verification methods for FIDO2 (WebAuthn) in the Okta Admin Console, follow these steps:

  • Navigate to the General Settings:
    – On the General Settings page of your chosen authenticator, click the Edit button to access the available configuration options.
  • Select a User Verification Method:
    – Under the Settings section, use the dropdown menu to select the desired User Verification method.
    -You can choose between different verification levels, depending on your organization’s security needs.
  • Understand the User Verification Options:
    Review the descriptions provided in the console to understand the implications of each method.

In this blog post, I will cover the following settings:
User Verification Discouraged: Ideal for scenarios where verification via built-in device security (e.g. PIN) is not required.
User Verification Required: Ensures users authenticate with device-level security, providing a stronger guarantee of identity verification.

Setting Up FIDO2 Security Keys

There are multiple approaches to provisioning a FIDO2 security key for your users, ensuring flexibility based on organizational needs.

User registers YubiKey using the Okta End-User Dashboard

In this demo, I will showcase how users can independently register their FIDO2 security key (Security Key By Yubico with NFC Black) directly through the Okta End-User Dashboard.
This streamlined process provides an intuitive and secure method for enrolling authentication keys, empowering users while meeting organizational security requirements.

Register a YubiKey on behalf of user in the Admin Console

In this demo, I will walk you through the process of registering a YubiKey (YubiKey 5Ci ) on behalf of a user via the Okta Admin Console.
This scenario is useful when administrators need to pre-provision security keys for users, ensuring a streamlined onboarding process and compliance with organizational policies.

Authentication use cases

In this section, we will delve into various authentication scenarios, each accompanied by a detailed demonstration to provide clarity and practical understanding.

Authentication User verification “Disabled”

In this section, I will detail the configuration process and demonstrate the resulting user experience when User Verification is disabled in the FIDO2 settings and the Desktop MFA Authentication Policy.

Configuration Overview:
– With User Verification Disabled in the FIDO2 settings, the system bypasses the requirement for biometric or device-based authentication during login attempts.
– Similarly, in the Desktop MFA Authentication Policy, this configuration ensures that only a registered FIDO2 security key is needed for authentication without additional verification steps.

Setup Steps:

  1. Navigate to the Okta Admin Console and access the Authenticators section.
  2. For the FIDO2 (WebAuthn) authenticator, ensure that User Verification is set to Discouraged during the setup.

In the Desktop MFA Policy, select the appropriate rules to enforce authentication without requiring verification from built-in security features.

User verification disabled in the Authentication Policy

Demo – Desktop MFA FIDO2 YubiKey

This demo highlights the process of logging into a desktop using Desktop MFA with a FIDO2 YubiKey security key, showcasing the workflow where user verification is disabled.
The demonstration emphasizes a streamlined authentication experience, where the key provides secure access without requiring an additional verification step.

When reviewing the Okta System Logs, you will observe the following log entries that provide key insights into system activities and authentication workflows.

Authentication User Verification “enabled”

In this section, I will walk you through the setup process and user experience when User Verification is enabled in both the FIDO2 settings and the Desktop MFA Authentication Policy.
This configuration ensures an additional layer of security, requiring users to authenticate not just with their FIDO2 key, but also through a verification step that strengthens overall protection.

Configuration Overview:
– Within the Okta Admin Console, enable User Verification as part of your FIDO2 security key settings. This step ensures that users must perform an extra verification action when using their security keys during login.
– Integrate User Verification in the Desktop MFA policy to require this extra layer of protection for users leveraging FIDO2 keys.

Setup Steps:

For the FIDO2 (WebAuthn) authenticator, ensure that User Verification is set to Required during the setup.

In the Desktop MFA Policy, select the appropriate rules to enforce authentication with requiring verification from built-in security features.

User verification enabled in the Authentication Policy

Demo – Desktop MFA FIDO2 YubiKey

This demo demonstrates the process of logging into a desktop using Desktop MFA with a FIDO2 YubiKey Security Key, where user verification is enabled.
The showcase highlights an enhanced security workflow, requiring an additional layer of verification such as a PIN alongside the FIDO2 security key.
This configuration ensures a robust balance between usability and stringent security measures.

Reset a YubiKey

During testing, there might be situations where you need to reset the YubiKey.
To perform this, you can utilize the YubiKey Manager, a tool that allows you to configure various functionalities on your YubiKey, including FIDO2, OTP, and PIV.
This tool is compatible with Windows, macOS, and Linux operating systems, making it versatile across multiple platforms.
The YubiKey Manager supports all currently supported YubiKey models, ensuring broad compatibility.

You can download the YubiKey Manager directly from the official Yubico website here, and I’ve also prepared a short demo to guide you through the process of resetting your YubiKey effectively.

User has no YubiKey registered

If a user attempts to log in to a macOS device without having a registered FIDO2 key, an error message will be displayed during the authentication process.
This message indicates that the user has not yet completed the necessary steps to register a FIDO2 key for authentication.

Additionally, you can find relevant error messages logged in the OktaDeviceAccess.log file. This log can be found in the following path on a Windows device:
C:\Windows\System32\config\systemprofile\AppData\Local\Okta Device Access\Logs
These logs provide valuable information for troubleshooting and debugging any issues related to Okta Device Access.

Conclusion

Implementing FIDO2 keys for Okta Desktop MFA on Windows provides a significant leap forward in both security and usability.
By leveraging hardware-based authentication with support for PINs, organizations can strengthen their defense against credential-based attacks such as phishing and brute-force attempts.
Administrators gain flexibility in deployment, whether through user self-registration, admin-managed enrollment, or pre-enrolled key distribution via partners like Yubico.
FIDO2 keys combined with Okta’s robust identity platform set the stage for a more secure and user-friendly authentication landscape.
With these tools in place, organizations can confidently protect sensitive resources while delivering a frictionless login experience for their workforce.

Published by Arkadiusz Krowczynski (Arki)

Published

2 thoughts on “Okta Device Access – FIDO2 security keys for Windows

  1. Pingback: Mastering Okta Device Access: A Comprehensive Guide to Deploying Desktop MFA with Microsoft Intune
  2. Pingback: Okta Device Access – FIDO2 security keys for Windows

Leave a Reply