<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Windows Desktop MFA - Troubleshooting Users Not Getting Prompted for MFA
Nov 4, 2025
Okta Device Access
Okta Identity Engine
Overview

This article provides troubleshooting steps for Okta Device Access Desktop MFA for Windows when end users are not prompted for Multi-Factor Authentication (MFA).

Applies To
  • Okta Identity Engine (OIE)
  • Okta Device Access (ODA)
  • Desktop MFA for Windows
  • Multi-Factor Authentication (MFA)
Cause

There are several known reasons why end users may not be prompted for MFA. Refer to the Solution section below for detailed steps to identify and resolve potential configuration issues.

Solution

Refer to each section for more information on what should be checked if the user is not prompted for MFA with Windows Desktop MFA. For more details on obtaining the logs related to these troubleshooting steps, please review Working with Okta Device Access Logs.

 

User authenticator setup

  1. The user must have Okta Verify installed on a mobile device. They can have Okta Verify installed in advance or install it as part of the Desktop MFA setup.
  2. The user must have Okta Verify push notifications enabled for their mobile device.

 

Okta Verify was installed with incorrect parameters on desktop machines

The user sees the following error in the local Okta Device Access logs on the desktop:

  • Failed to get online factors for a user in https://<domain>.okta.com; attempt: 3, internet: True Okta.Sdk.Abstractions.OktaApiException: Invalid value for 'client_id' parameter. (400, invalid_client)

Troubleshooting steps:

  1. Verify installation parameters using the following online documentation: Deploy Desktop MFA endpoints.
  2. Note the values for Client ID and Client secret below to configure the device.

Authentication Tab

  1. Add registry values to HKLM\SOFTWARE\Okta\Okta Device Access and ensure they are correct.
    • ClientId - String Value from the Desktop MFA application in Step 2
    • ClientSecret - Value from the Desktop MFA application in Step 2
    • NOTE: Beginning in Okta Verify 5.6.6, the clientId and clientSecret values are not visible in this location. Admins will create the REG_SZ values and restart the Okta Identity Service to reconfigure the device. Ensure there are no leading or trailing spaces, trailing slashes, etc

The user is not assigned the application, or the assignment is incorrect

Admin will see the following errors in the Okta system logs: 

  • 'login_hint' did not match a user assigned to the client app.

Troubleshooting steps:

  1. Ensure the user is assigned to the Desktop MFA app

Desktop MFA app

  1. Verify the username format on the application using this table
    Device Join StatusApplication username format
    AD joined or hybrid joinedsamaccountname
    Entra ID joinedEntra ID UPN

    1. Navigate to Applications > Applications and Open the Desktop MFA App.
    2. In the Application Configuration page, choose the Authentication tab.
    3. At the bottom of the Authentication page, under Credentials Details.
      • The User name format can be referenced under the Application username format.
        Sign-on Settings  

Authentication Policy was modified from the default, causing it not to return the proper challenge for OV mobile Push/TOTP

  • Desktop MFA only validates the MFA challenge in Okta. The password is validated using the Windows Credential Provider. Any changes to the Authentication Policy for DMFA can cause the Desktop MFA to fail with the Login Failed message, or the user will only see offline factors if enrolled.
  • Change the Authentication Policy to the default setting. Ensure the required authenticators are listed.
    required authenticators  

 

The device has no connection to the Okta tenant

The user will be prompted only for offline factors, and the following error can be found:

  • Failed to get online factors for a user in https://<domain>.okta.com; attempt: 1, internet: False
    System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: '<domain>.okta.com'
       at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)

Troubleshooting steps:

  1. Ensure the device is connected to the Internet.
  2. If there is any proxy setup in the network, ensure traffic from the device to the Okta tenant URL is allowed.

 

The Okta credential provider was not used to authenticate to the device

 

Validate the Windows Registry

  • Verify if any custom configuration has been pushed to devices using Windows registry keys under HKLM\Software\Policies\Okta\Okta Device Access for any devices not giving an MFA prompt.
  • More details regarding Windows registry keys used for custom Okta device access policies are mentioned in Configure access policies.

 

Related References

Recommended content

Still looking for help?
Loading
Windows Desktop MFA - Troubleshooting Users Not Getting Prompted for MFA