This article details a known issue in Okta Device Access (ODA) Windows Desktop MFA with Okta Verify version 5.5.4 and above.

While using Okta Desktop MFA, the Security key(USB)/FIDO is not available for authentication.

• Okta Identity Engine (OIE)
• Okta Device Access (ODA)
• Desktop MFA
• Windows Devices

1. In order to use online FIDO2 security keys enrolled on the end user’s Okta, administrators must first enable FIDO2 authentication. 
2. If Passwordless access is enabled with UseDirectAuth, users will not be able to use a security key(USB) to log in to the desktop.

1. By default, Direct Authentication is disabled. Ensure that the registry key UseDirectAuth under path HKLM\SOFTWARE\Okta\Okta Device Access is set to 1. It will allow users to authenticate with FIDO security keys.
2. If the AllowedFactors list is configured under path HKLM\SOFTWARE\Policies\Okta\Okta Device Access, ensure that FIDO2_USB_key is in AllowedFactors. By default, all factors are allowed if AllowedFactors is not configured.
3. Upgrade the Windows Okta Verify client to 5.10 or greater.

Once registry values are configured as mentioned above, end users should be able to see the security key in Desktop MFA options during sign-in.