This article reviews how to configure the frequency with which users are prompted for Desktop MFA from the lock screen. This concern arises when users are not prompted for Desktop MFA as frequently as expected when attempting to unlock the computer.
For example, users are prompted the first time they unlock their PCs but are not prompted upon subsequent attempts.
- Okta Identity Engine (OIE)
- Desktop MFA
- Windows OS
This issue is often due to the MFA Grace Period, a configurable value set in the registry by the key named MFAGracePeriodInMinutes. This key defines the length of a grace period (in minutes) a user has without needing to use MFA after locking the computer. By default, the value is set to 60 minutes.
The registry key MFAGracePeriodInMinutes is stored in the directory HKLM\Software\Policies\Okta\Okta Device Access.
If the desired behavior is that users should be prompted more frequently, change the grace period to a number smaller than 60 (default value). If users should always be prompted without any grace period, change the grace period to 0 (zero).
NOTE: The grace period is only applicable when locking the computer. Switching user accounts or restarting the computer should prompt users to verify their identity using MFA.
Administrators may use PowerShell, regedit (for the target machine), a Group Policy Object (GPO), or an MDM to modify these values for a user or group of users.
Example: Open power shell as administrator and run the following command:
reg add "hklm\software\Policies\Okta\Okta Device Access" /f /v MFAGracePeriodInMinutes /t REG_DWORD /d 0
NOTE: Running the Okta Verify installer a second time with command-line parameters does not change the registry key parameters. To change Okta Verify parameters, use PowerShell, regedit, GPO, or a Mobile Device Management (MDM) to update key values.
