<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Verify Does Not Satisfy "Hardware Protected" Constraint in Non-Persistent Environments
Mar 24, 2026
Multi-Factor Authentication
Okta Identity Engine
Overview

Okta Verify does not satisfy the Hardware protected sign-on policy constraint when used in non-persistent environments, such as Virtual Desktop Infrastructure (VDI), ephemeral containers, or stateless virtual machines.

 

hardware protected constraint

Applies To
  • Okta Identity Engine (OIE)
  • Okta Verify
  • Hardware Protected
Solution

Understanding the "Hardware Protected" Constraint

When configuring an app sign-on policy in Okta, administrators can enforce phishing-resistant and hardware-backed authentication by enabling the Hardware protected condition. This constraint verifies that the authentication factor is securely stored in a hardware-backed key store, such as:


Authentication factors that typically satisfy this constraint

  • WebAuthn (FIDO2).
  • Platform or roaming security keys (like YubiKey).
  • Okta Verify, only when installed and registered on a supported hardware-backed device.

 

Okta Verify Behavior in Persistent vs. Non-Persistent Environments

Persistent Environments

(for example, personal laptops, mobile phones)

Non-Persistent Environments 

(for example, VDI, ephemeral containers)

  • Okta Verify can satisfy the hardware-protected constraint if installed on a device with a secure enclave (for example, an iPhone with Secure Enclave or an Android device with StrongBox).
  • The factor registration is persistent and securely bound to device hardware.
  • Secure storage and device context are not retained across sessions.
  • The operating system image is typically reset or re-cloned during each login.
  • Okta Verify installations may be deleted, reinitialized, or disconnected from the original device registration.
  • These environments often lack TPM or equivalent hardware-backed secure storage.

As a result, Okta Verify fails to meet the hardware-protected condition in these scenarios.

 

Conclusion

In non-persistent virtual environments, Okta Verify should not be relied upon to fulfill the Hardware protected policy constraint. For compliance with hardware-backed or phishing-resistant requirements, organizations should consider alternative authentication methods such as:

  • WebAuthn with security keys.
  • Okta FastPass on physical devices with TPM/Secure Enclave.
  • Biometric WebAuthn on supported devices.

 

Recommendations

Avoid assigning Hardware protected policy requirements to users accessing applications via VDI or ephemeral desktops.
Use group-based or device-based conditional policies to differentiate between persistent and non-persistent environments.
Educate end users and IT admins on the limitations of Okta Verify in virtualized platforms.

Recommended content

Still looking for help?
Loading
Okta Verify Does Not Satisfy "Hardware Protected" Constraint in Non-Persistent Environments