Users are not prompted for Desktop Multi-Factor Authentication (MFA) if they choose to log in to their Windows device using Windows Hello PIN or Biometrics.

• Okta Device Access
• Desktop MFA
• Okta Identity Engine (OIE)
• Windows Hello

Desktop MFA currently supports the following factors for Windows: 

• Offline: Okta Verify one-time password, YubiKey (OTP)
• Online: Okta Verify push, Okta Verify one-time password

Windows Hello is an additional credential provider, and it is expected that the user not be prompted for Okta Desktop MFA if Windows Hello PIN or Face ID is selected. In this situation, use either Okta Desktop MFA or Windows Hello only.

To prompt users for Desktop MFA, exclude Windows Hello as a credential provider on their devices by using Okta registry keys.