It is expected behavior for a user to be prompted for a Security Key PIN when authenticating online with Okta Desktop MFA, but not when authenticating offline. This difference is due to the authentication protocol changing based on network connectivity, even when using the same physical security key.

• Product: Okta Desktop MFA
• Authenticator: Security Key (for example, YubiKey)
• Scenarios: Online vs. Offline authentication attempts
• Okta Identity Engine (OIE)

The single security key serves two distinct functions based on connectivity:

• Online: It uses the FIDO2 (WebAuthn) protocol, which requires User Verification (a PIN or biometric) as a core part of its phishing-resistant design and security standard.
• Offline: It switches to the OATH protocol (a TOTP generator), which does not require a PIN. For OATH, possession of the physical key is sufficient for the second factor, as the key generates a time-based one-time password (TOTP) that is validated locally.

This is not an issue requiring a fix; it is the intended design for Okta Desktop MFA. The solution is to understand and communicate the expected behavior:

• Online Authentication: Always have the security key PIN ready, as the FIDO2 standard and Okta policies require it for user verification.
• Offline Authentication: Simply Insert and Tap the security key, as no PIN is required for the OATH-based offline factor.