This article details a known issue with a Windows Desktop MFA configuration that is available with the release of Okta Verify 5.4.
The conditions for this errant behavior would be a user that has not enrolled an authenticator and "UseDirectAuth" has been enabled on the local machine. Even though the "MaxLoginsWithoutEnrolledFactors" limit is not been reached, the user can still be blocked from login. If the device is online, end users will always be asked to authenticate with online factors, even when an offline factor is enrolled or allowed.
- Okta Identity Engine (OIE)
- Okta Device Access - Desktop MFA
- Windows Okta Verify
This is a known issue introduced with the "UseDirectAuth" functionality and Okta Verify version 5.4.
Okta Product Engineering is aware of this errant behavior and plans to deploy a patch in a future Okta Verify release.
Workarounds
- Upgrade Windows Okta Verify client to 6.1.1
- This Okta Verify version adds a Skip for Now button to the login page for users that have not yet logged into the device.
- Pre-enroll Authenticators for new users.
- End users may enroll in Okta Verify on mobile devices before logging in to their Laptop/Desktop.
- Onboard with pre-enrolled YubiKey (FIDO2 Webauthn)
- Take the device offline before login.
- The end user may perform an offline login, then proceed to bring the local machine back online and enroll an authenticator.
- Disable "UseDirectAuth" from the local machine (Default) and reboot the local machine.
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Okta\Okta Device Access\UseDirectAuth : REG_DWORD = 0
