<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Frequently Asked Questions About Desktop MFA
Oct 1, 2025
Okta Device Access
Okta Identity Engine
This article provides answers to frequently asked questions about Desktop MFA.

 

Table of Contents

Is Desktop MFA available today?
What are the core capabilities for Desktop MFA?
What factors are supported for Desktop MFA?
If I have non-Yubikey hardware keys, can those be used?
How can end users enroll and manage their YubiKeys (or other security keys)?
Is passwordless login supported for Windows and macOS?
What key use cases can desktop MFA address?
Where can I learn more about prerequisites and the deployment experience for Desktop MFA?
What is stored locally on the desktop once Desktop MFA is installed?
Where are the keypairs generated as part of the Desktop MFA enrollment process stored?
What are Okta’s plans to support desktop MFA for other operating systems?
Does Desktop MFA support shared workstations?
How does Desktop MFA interact with ThreatInsights or other adaptive policy rules?
What recovery flows are available for Desktop MFA?
Is User Account Control (UAC) supported in Desktop MFA for Windows?
Can I test or trial Desktop MFA? 

 

Is Desktop MFA available today?

Desktop MFA for Windows and macOS are both Generally Available (GA).
 

What are the core capabilities for Desktop MFA?

  • To enforce MFA during Windows/macOS login to meet security and compliance requirements
  • To configure and install the new Okta Credential Provider (for Windows) or authorization plug-in (for macOS) and Okta Verify desktop instance
  • To prompt users to provide step-up authentication at device login whether they are online or offline
  • (For Windows) To configure a policy via registry keys and target it for certain AD or Entra ID users and groups
  • (For macOS) To configure a policy via device management configurations and target it for certain local macOS account users and groups
  • (For Windows) To enable a passwordless login experience for Windows end users

 

What factors are supported for Desktop MFA?

Windows:

  • Offline: Okta Verify one-time password, security key with OATH support
  • Online: Okta Verify push (with or without number challenge), Okta Verify one-time password, FIDO2 security key

macOS:

  • Offline: Okta Verify one-time password
  • Online: Okta Verify push (with or without number challenge), Okta Verify one-time password, FIDO2 security key

Customers can enforce number challenge with Okta Verify push for Okta Device Access. Customers must have both the Device Access SKU and Adaptive MFA SKU in order to do so.

 

If I have non-Yubikey hardware keys, can those be used?

For Desktop MFA for Windows, PIN-based FIDO2 security keys are supported. In addition, security keys with OATH support can be used as offline factors for Desktop MFA for Windows.

For Desktop MFA for macOS, Yubico FIDO2 security keys are supported.
 

How can end users enroll and manage their YubiKeys (or other security keys)?

The Okta recommendation is to take advantage of the Okta partnership with Yubico to provide end users with pre-enrolled YubiKeys via automated fulfillment and activation flows. This is a great solution for onboarding new hires, but also applicable to current end users.

Customers always have the option for their admins to manually enroll a YubiKey or other security key for a user or have the end user enroll on their own via the Okta End User Dashboard or Okta sign-in widget. For FIDO2 security keys, there are no additional enrollment steps for end users in order to start using their key for Desktop MFA. For security keys with OATH support, which is supported for offline Desktop MFA for Windows, there are a few additional steps within the Windows Okta Verify app for end users to finish enrollment.

End users can manage their security keys through the Okta End User Dashboard, and for security keys with OATH support, there are additional management capabilities within the Windows Okta Verify app.
 

Is passwordless login supported for Windows and macOS?

Admins can choose to remove the password prompt for end users logging into Windows computers. Instead of entering a password, users will authenticate with 1.) Okta Verify push notification (with or without number challenge) and mobile-supported biometrics (NOTE: passcode or PIN fallback is not currently supported with OV push) or 2.) a supported PIN-based FIDO2 security key.

To enforce user verification with biometrics or PIN, Okta provides recommended settings in the product documentation to admins in the Okta Admin Console. Passwordless login is NOT recommended with OV push notifications or FIDO2 security key alone. If, for whatever reason, 2FA cannot be enforced to securely allow passwordless, we recommend falling back to a desktop MFA experience with password input. In fact, for FIDO2 security keys, Okta requires a PIN; if there isn't a PIN, users will be required to provide a password.

The Windows device must be online to support passwordless login.

Okta Device Access will not support passwordless login for macOS computers due to Apple design limitations. macOS can never be truly passwordless due to the necessity of providing a password for FileVault login.

 

What key use cases can desktop MFA address?

Compliance

While complying with cyber insurance and regulatory requirements have always been drivers for MFA, similar requirements have recently surfaced for desktop MFA. Driven primarily by the recent proliferation of attacks, we have observed that many of our customers are required to provide desktop access controls and to prove they have an effective desktop login solution to meet the requirements of various authorities to operate as a business. Example external forces driving the adoption of desktop MFA include:

Security

  • The primary reason for implementing desktop MFA is to protect the business by reducing the attack surface and mitigating the risk of desktop takeover. The mission is to reduce or eliminate the business impact of activity by bad actors. Careful management of desktop access may not eliminate network and account compromises; still, it can reduce the risk of significant business impact due to desktop takeover and access to company resources.

 

Where can I learn more about prerequisites and the deployment experience for Desktop MFA?

Please refer to the product documentation to learn more.
 

What is stored locally on the desktop once Desktop MFA is installed?

For Desktop MFA for Windows, all required functionality (e.g., credential provider, registry keys) are packaged into the Okta Verify app. This is the same for Desktop MFA for macOS – everything (e.g., authorization plug-in, plist) is pushed to the desktop as a single package via the MDM.
 

Where are the keypairs generated as part of the Desktop MFA enrollment process stored?

For both Windows and macOS, keypairs are generated as part of the process of enrolling in offline factors (for online, you just connect to the cloud and no keypair is necessary). This keypair is stored not in a Trusted Platform Module (TPM), but in a private SQL database on the device.
 

What are Okta’s plans to support desktop MFA for other operating systems?

Desktop MFA for Linux requires support for Okta Verify for Linux first.

ChromeOS already supports device authentication and MFA today if your Google environment authenticates against Okta.
 

Does Desktop MFA support shared workstations?

Okta Device Access can imperfectly support shared workstations at this time. For example, Desktop MFA can support the use of shared computers with multiple user accounts. The user will need to have an account at each workstation. Online factors take advantage of security keys or existing Okta Verify enrollments on end user mobile devices, which should be fine to use when moving between workstations. For offline access, each user would have to enroll in their offline factors on every desktop they want to access.
 

How does Desktop MFA interact with ThreatInsights or other adaptive policy rules?

Desktop MFA is not currently integrated with ThreatInsights; however, push notifications will be shown with the OS platform (e.g., “Windows Desktop”) and not as “Unrecognized Devices or Locations.” Desktop MFA also does not currently support device policy conditions, but this is on the roadmap.
 

What recovery flows are available for Desktop MFA?

Recovery flows are available for Desktop MFA for macOS and Windows. If a user cannot log in because of a lost or forgotten factor/authenticator, they will be instructed by a message on their macOS login screen to call their help desk, where an authorized Okta admin can generate a recovery PIN that the user can use to log in to their Mac device. The user should be able to log in using the PIN up to 2 minutes after the admin generates it, and for as long as the admin has configured for the duration of validity. All PINs expire as soon as the user completes a desktop MFA challenge with an enrolled online or offline factor.
 

Is User Account Control (UAC) supported in Desktop MFA for Windows?

Existing UAC will continue to function in Windows 10/11 as customers are used to today. Okta Device Access does not impact this at this time. 
 

Can I test or trial Desktop MFA? 

Yes. Please reach out to your Okta account team to learn more.

 

Recommended content

Still looking for help?
Loading
Frequently Asked Questions About Desktop MFA