Okta Device Access: FIDO2 Passwordless Windows Login

Access Management, Device Access, IAM Domains, Integrations, Workforce Identity Products 3 Minutes

July 2025: This is an Early Access Release

Introduction

This technical blog post offers an exploration of Okta Device Access Desktop MFA with FIDO2 Passwordless for Windows, a transformative solution designed to fundamentally redefine the Windows login experience. We’ll dissect the technical intricacies of its implementation, delineate the critical requirements for seamless integration, and illuminate the profound security and operational benefits this cutting-edge approach delivers to the modern enterprise.

Requirements

Implementing Okta Device Access Desktop MFA with FIDO2 Passwordless for Windows involves a specific set of prerequisites across your Okta tenant, Windows devices and FIDO2 security keys.
Carefully review these requirements to ensure a seamless and secure deployment.

Okta Requirements

To successfully leverage Okta Device Access with FIDO2 Passwordless for Windows, your Okta environment must meet the following criteria:

  • Okta Identity Engine (OIE) Tenant: This feature is exclusively available on Okta Identity Engine (OIE) tenants.
  • Okta Device Access Feature: The Device Access feature must be enabled within your Okta tenant.
  • Okta Device Access Desktop MFA configured: ooking to configure Okta Device Access Desktop MFA? We’ve got you covered! You’ll find detailed, step-by-step instructions in our blog post , or you can access an alternative guide here.
  • FIDO2 (WebAuthn) Enabled and Authentication Policies configured.
  • Administrative Permissions: An Okta administrator account with sufficient permissions.
  • Okta Verify 5.10.1 or greater deployed on Windows devices.

Windows Device Requirements

  • Supported Windows Version:
    • Windows 10 (version 1903 or later) or Windows 11, newer versions generally offer improved stability and features

User Prerequisites & Enrollment

For end-users, the following must be in place to facilitate a smooth FIDO2 passwordless experience:

  • Active Okta Account: Users must have an active Okta user account.
  • Okta Verify Enrollment: Users must have successfully enrolled and paired Okta Verify on their Windows device.
  • FIDO2 Security Key Enrollment: Users must have successfully enrolled their FIDO2 security key as authenticator within their Okta user profile.
    This is typically done through the Okta End-User Dashboard, and I’ve covered the enrollment process in one of my previous blog posts.

Demo – FIDO2 Passwordless on Windows

Observe the elegance and efficiency of FIDO2 passwordless authentication on Windows as we demonstrate its core functionalities in the video below

Configuration steps

Activating FIDO2 Support for the Desktop MFA

To leverage FIDO2 authentication for Desktop Multi-Factor Authentication (MFA), a critical step involves deploying a specific registry key across your organizational endpoints.
This configuration is essential for integrating FIDO2 as a robust authentication method within your desktop MFA framework.

The UseDirectAuth value needs to be added under the following registry path:

Registry Path: HKEY_LOCAL_MACHINE\SOFTWARE\Okta\OktaDeviceAccess
Specific Value to Add:

  • Value Name: UseDirectAuth
  • Value Type: REG_DWORD (DWORD 32-bit Value)
  • Value Data: Set this to 1

Setting the UseDirectAuth value to 1 explicitly enables FIDO2 support within the Okta Device Access client, allowing it to initiate and process FIDO2 authentication challenges during the desktop MFA flow.

Activating Passwordless policy for Desktop MFA

A specific registry key must be deployed to each Windows endpoint where you wish to enable passwordless login.

  • Registry Path: HKEY_LOCAL_LOCAL_MACHINE\SOFTWARE\Policies\Okta\Okta Device Access
  • Specific Value to Add:
    • Value Name: PasswordlessAccessEnabled
    • Value Type: REG_DWORD (DWORD 32-bit Value)
    • Value Data: Set this to 1

Setting PasswordlessAccessEnabled to 1 on the endpoint instructs the Okta Device Access client to offer and process passwordless authentication methods during the Windows login prompt.
You can find a comprehensive overview of all policy configurations here.

Set up the FIDO2 (WebAuthn) authenticator

To configure the FIDO2 (WebAuthn) authenticator in Okta, navigate to
Security > Authenticators .

Click Add authenticator.

In the Authenticators section locate FIDO2 (WebAuthn) and click Add.

Configure User Verification Method

To configure user verification methods for FIDO2 (WebAuthn) select Actions > Edit.

In the General settings section select Required as the User verification method and Save your settings.

Configure Authentication Policy

To configure the Desktop MFA policy, navigate to Security > Authentication Policies

Locate and edit the Desktop MFA policy (this policy is automatically created when Desktop MFA is enabled).

Within the policy’s rules edit the “Catch-all Rule“,

And ensure that the “Require user interaction” is enabled.

Conclusion

The adoption of Okta Device Access with FIDO2 Passwordless authentication for Windows represents a significant leap forward in enterprise security and user experience.
This powerful combination delivers substantial value across technical, business, security, and Zero Trust domains.

Published by Arkadiusz Krowczynski (Arki)

Published

Leave a Reply