This guide will help to start the troubleshooting process when users are not prompted for any factors or are only prompted for offline factors. 

• Okta Identity Engine (OIE)
• Desktop MFA
• Windows
• Offline Factors
• Device Access

Follow the below steps to check and start the troubleshooting process:

1. Okta Verify was installed with incorrect parameters.
   1. Check the install command. Ensure that the OrgURL client ID and Client Secret are correct.
   2. Check HKLM\SOFTWARE\Okta\Okta Device Access values to ensure they are correct. No leading trailing spaces, etc.
2. The user is not assigned the application, or the assignment needs to be corrected.
   1. Search Okta System Log for "Desktop MFA" events.
      1. If the username format in the Desktop MFA application does not match the username they are logging in with, there will be events with the following text:
         'login_hint' did not match a user assigned to the client app.
      2. For AD-joined or Hybrid joined devices, the username format for the application will always be SamAccountName.
      3. The username format should always be the Entra AD UPN for Entra AD joined devices.
3. The user does not have an online factor configured in Okta. (OV mobile push/TOTP)
4. The authentication policy was modified from the default, causing it not to return the proper challenge for OV mobile Push/TOTP.

• • The default should always be the Possession Factor.

5. The device has no connection to the Okta org.
6. The policies were not configured in the registry at HKLM\Software\Policies\Okta\Okta Device Access. 

• •  External policies that define how Desktop MFA works are configured on the Windows endpoint registry keys. Enable more functionality using registry keys.       
  •  More details regarding registry key policies can be found on the Configure access policies documentation.

Related References

• Configure access policies