This article provides instructions about Okta Device Access, Desktop MFA, and excluding additional Credential Providers when setting up Desktop MFA for Windows devices.

This is helpful in scenarios where the Okta Credential Provider is bypassed during authentication or when multiple credential providers exist on a machine.

• Okta Identity Engine (OIE)
• Okta Device Access (ODA)
• Desktop MFA
• Windows Devices

When the Desktop MFA policy does not exclude other credential providers, users are able to bypass the Multi-Factor Authentication challenge when accessing the device. This can be seen when the user has multiple sign-in options (Okta, password, WHfB, etc.).

  

Policies can be created to prevent users from bypassing the MFA challenge when accessing the device. These policies can also prevent the usage of additional credential providers besides Okta.

• Refer to the Configure access policies document for more details on configuring ODA policies using registry keys.

Method 1 - Hide the default password credential provider

1. Create a REG_DWORD registry named ExcludePasswordCredProvider and set the value to 1.

   • The registry will need to be created in HKLM\Software\Policies\Okta\Okta Device Access​​​​​​.

2. This will exclude the password credential provider located in the default path.

3. If the sign-on options link is still visible on the login screen after the ExcludePasswordCredProvider register has been created, it means the password credential provider is not following the default path, and it will need to be manually excluded, as shown in the second method.

Method 2 - Hide additional credential providers

1. Firstly, determine the Credential Provider’s GUID that must be excluded.

2. Log in with the other credential provider.

3. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnProvider and copy the GUID of the LastLoggedOnProvider.

4. It is necessary to create a REG_MULTI_SZ registry named CredProvidersToExclude. Set the value to the GUID from the previous step. 

   • The registry will need to be created in HKLM\Software\Policies\Okta\Okta Device Access​​​​​.

5. Apart from the password credential provider, other credential providers are added from Windows by default or enabled by the user (like Windows Hello for Business, FIDO2, or smart cards). It is possible to filter out such custom credential providers by specifying their GUID. 

Method  3 - Identify all credential providers and exclude multiple ones

1. Get the GUID for any credential provider using the following registry path:

• •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CredentialProviders

2. Verify if it is the same credential provider that should be hidden from the Login window.

3. Once this GUID is identified, it can be added to the following registry entry to hide this credential provider:

   • HKLM\Software\Policies\Okta\Okta Device Access\CredProvidersToExclude

NOTE: More than one credential provider can be added to the list. When filtered out using a registry, these credential providers are hidden from end users.

Once all other credential providers are successfully hidden using the registry, the end user should not see any other sign-in options.

• In the image below, only the Okta MFA login is available.

Related References

• Configure access policies