Okta Device Access Allowed Factors on Windows

January 2025: This is an Early Access release

Introduction

We now have the capability to define which authentication methods users are allowed to utilize by setting a new registry value called AllowedFactors on Windows devices.
This enhancement provides greater control and customization over authentication policies, allowing organizations to fine-tune security measures and align them with specific operational needs.

Prerequisites

• Okta Device Access – Desktop MFA configured in your environment
  You can follow this blog to implement it
• Okta Verify version 5.5.4 or later is installed on all Windows devices to enable
  Allowed Factors functionality

Configure Allowed Factors policy

To configure the Allowed Factors policy for Okta Device Access Desktop MFA, it’s necessary to deploy a specific registry key to your endpoints.
The registry key must be configured appropriately across all systems where you intend to leverage the Allowed Factors option as part of the desktop multi-factor authentication (MFA) setup.

The Allowed Factors registry key needs to be added under the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Okta\Okta Device Access

This is an example of how the registry entry should appear, providing clarity on the correct configuration for the AllowedFactors value.

To enable the Allowed Factors list, the UseDirectAuth setting must be activated in
HKEY_LOCAL_MACHINE\SOFTWARE\Okta\Okta Device Access
If no specific factors are listed, the system defaults to allowing all available factors. It is crucial to ensure that the specified factors are accurately spelled to avoid configuration errors or authentication issues.

Demo

This demo showcases the Allowed Factors feature within Okta Device Access Desktop MFA, highlighting how we can customize and control user authentication methods.