<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Desktop MFA Is Not Compatible with Windows Hello
May 11, 2026
Okta Device Access
Okta Identity Engine
Overview

Okta Desktop MFA does not prompt users for authentication when Windows Hello is used because Windows Hello acts as an additional credential provider. Administrators must exclude Windows Hello as a credential provider using Okta registry keys to enforce Desktop MFA prompts. Users do not receive a prompt for Desktop Multi-Factor Authentication (MFA) when they log in to their Windows device using a Windows Hello PIN or Biometrics.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Device Access
  • Desktop MFA
  • Windows Hello
Cause

Within the Windows operating system, Windows Hello is treated as a separate credential provider rather than a single factor. As a result, it cannot be used simultaneously with Okta Desktop MFA, which itself acts as a credential provider.

Solution

What configuration excludes Windows Hello as a credential provider?

 

Exclude Windows Hello as a credential provider on the devices by configuring the appropriate Okta registry key to ensure Okta prompts users for Desktop MFA. 

Refer to Exclude Credential Provider from Windows Desktop MFA for detailed instructions regarding the exclusion of credential providers.

Recommended content

Still looking for help?
Loading
Okta Desktop MFA Is Not Compatible with Windows Hello