When the Okta Desktop Multi-Factor Authentication (MFA) policy does not exclude other credential providers, end users can bypass the MFA challenge when accessing a Windows device. Administrators can resolve this by configuring registry keys to hide default and additional credential providers, ensuring the device uses only the Okta Credential Provider. The observable issue occurs when multiple sign-in options remain available on the machine, allowing users to authenticate without completing the Okta MFA prompt.

• Okta Identity Engine (OIE)
• Okta Device Access (ODA)
• Desktop MFA
• Windows Devices

The Desktop MFA policy does not exclude other credential providers, allowing end users to bypass the MFA challenge when accessing the device. This occurs when the user has multiple sign-in options available, such as a password or Windows Hello for Business.

The following image displays a login screen with multiple sign-in options available to the user.

Administrators can create policies to prevent end users from bypassing the Multi-Factor Authentication (MFA) challenge when accessing the device. These policies also prevent the use of any credential providers other than Okta.

How is the default password credential provider hidden?

Hide the default password credential provider by creating a registry key in the Okta Device Access policy path using these steps:

1. Create a REG_DWORD registry key named ExcludePasswordCredProvider and set the value to 1 in the HKLM\Software\Policies\Okta\Okta Device Access path.

The following image displays the newly created registry key in the Registry Editor.

2. Verify that the password credential provider located in the default path is excluded from the login screen.

NOTE: If the sign-on options link remains visible on the login screen after creating the ExcludePasswordCredProvider registry key, the password credential provider does not follow the default path and requires manual exclusion using the steps in the next section.

How are additional credential providers hidden?

Hide additional credential providers by identifying the specific globally unique identifier (GUID) and adding it to the exclusion list using these steps:

1. Log in to the Windows device using the alternative credential provider.

The following image displays the login screen with the alternative credential provider selected.

2. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnProvider and copy the GUID of the LastLoggedOnProvider.

The following image displays the Registry Editor with the LastLoggedOnProvider GUID highlighted.

3. Create a REG_MULTI_SZ registry key named CredProvidersToExclude in the HKLM\Software\Policies\Okta\Okta Device Access path.
4. Set the value of the CredProvidersToExclude key to the copied GUID.

The following image displays the CredProvidersToExclude registry key configured with the copied GUID.

NOTE: In addition to the password credential provider, Windows adds other credential providers by default, or the end user enables them (such as Windows Hello for Business, FIDO2, or smart cards). Filter out these custom credential providers by specifying the corresponding GUID.

How are multiple credential providers identified and excluded?

Identify and exclude multiple credential providers by locating their GUIDs in the authentication registry path and adding them to the exclusion list using these steps:

1. Retrieve the GUID for any credential provider by navigating to the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CredentialProviders registry path.

The following image displays the CredentialProviders registry path containing the available GUIDs.

2. Verify that the selected GUID corresponds to the credential provider that requires hiding from the login window.
3. Add the identified GUID to the HKLM\Software\Policies\Okta\Okta Device Access\CredProvidersToExclude registry entry.

NOTE: Add multiple credential providers to the list by entering each GUID on a new line. When filtered out using a registry, these credential providers remain hidden from end users.

The following image displays the Edit Multi-String dialog box with multiple GUIDs added to the exclusion list.

Once all other credential providers are successfully hidden using the registry, the end user only sees the Okta MFA login option, as shown in the following image.

Related References

• Configure access policies