<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Windows Desktop MFA Users Unable to Login with FIDO2 Security Keys or Okta Verify Push or TOTP when UseDirectAuth is Enabled
Mar 24, 2026
Devices and Mobility
Okta Identity Engine
Overview

When using UseDirectAuth, users are unable to authenticate with FIDO2 security keys or Okta Verify push/TOTP. This is a known issue with Windows Desktop MFA in Okta Device Access (ODA) when using Okta Verify version 5.5.4 or later.

Okta Admins will see the following events in the Okta system log:


‘login_hint’ did not match a user assigned to the client app. FAILURE: mfa_attestation_login_hint_invalid

 

Corresponding ODA client logs will show:


<year>-<month>-<day> <hh>:<mm>:<s>.<ss> <TZ> [INF] [ :large_blue_square: ] [Fido2Manager::CancelAssert] No active FIDO2 assertion to request cancel.
<year>-<month>-<day> <hh>:<mm>:<s>.<ss> <TZ> [INF] [ :large_blue_square: ] [DirectAuthClient::CallDirectAuthApi] Calling https://<OktaSubDomain.okta.com/oauth2/v1/primary-authenticate path:/oauth2/v1/primary-authenticate loginHint: <HIDDEN> grantType: intent= acrValues:urn:okta:app:mfa:attestation scope: channelHint: oobCode:
<year>-<month>-<day> <hh>:<mm>:<s>.<ss> <TZ> [INF] [ :large_blue_square: ] [DirectAuthFido2UserChallenge::InitChallengeAsync] InvalidOperationException access_denied The required authenticator cannot be used. Check if it is required by policy and the user is enrolled in the authenticator and try again. Forbidden
<year>-<month>-<day> <hh>:<mm>:<s>.<ss> <TZ> [INF] [ :large_blue_square: ] [UserLogonSession::InitChallengeAsync] Init challege: 'Security key (USB) ':ExternalWithPin:Online Result=Failure (msg=Challenge failed.)

 

Applies To
  • Okta Identity Engine (OIE)
  • Okta Device Access (ODA)
  • Desktop Multi-Factor Authentication (MFA)
  • Windows Okta Verify
Cause

This issue occurs when the Okta username does not match the Active Directory User Principal Name (UPN) for Active Directory-joined devices. For Entra ID-joined devices, this issue occurs when the Okta username does not match the Entra ID UPN.

 

Solution

If the Okta username assignment cannot be changed to match the required values detailed above, Okta Admins may configure multiple identifiers in the user profile policies to allow users to be identified by an additional attribute. This attribute should contain the username from Active Directory (AD) or Entra ID, depending on the environment (see Add identifiers to a user profile policy).

Create New Profile Attribute

If the desired custom attributes are not in the user's profile, they may be created or added. Custom identifier attributes cannot be hidden or contain sensitive information. Be sure to set the Data type to string and the Restriction to Value must be unique for each user.

 To Create a New Profile Attribute:

  1. In the Okta Admin Console, navigate to Directory > Profile Editor.
  2. Choose Okta > User (default).

Profile Editor

  1. Select Add Attribute.

Add attribute

  1. Configure the values for:
    1. Data type: string.
    2. Display name: Enter a descriptive name to display for the attribute in the Okta Admin Console.
    3. Variable name: Enter a name for the attribute that can be referenced in mappings.
    4. Description: Enter a description of the attribute.
      • This is optional, but consider adding a description to keep track of the attribute's purpose.
    5. Select Value must be unique for each user
      • This requires the attribute to be unique for every user.
    6. Keep user permissions as Read Only.

Attribute Configuration

  1. Select Save.

Mapping Value to Attribute 

For Active Directory-joined devices, map the UPN to the custom attribute created above. For Entra ID-joined devices, map the Entra ID UPN to the attribute created above.

  1. Navigate back to Directory > Profile Editor in the Okta Admin Console.
  2. Choose the Active Directory integration.

Profile Editor

  1. Choose Mappings.
  2. Scroll to the bottom, and map UPN (appuser.userName) to the attribute created above (in this example, altUsername). 
  3. Choose Save Mappings.

Attribute mapping

  1. Choose Apply updates now.

Apply updates

 

Add Identifiers to a User Profile Policy

  1. In the Okta Admin Console, go to Security > User Profile Policies.
  2. Click the +Add user profile policy button. Enter a name for the policy, such as "DesktopMFA".
  3. Locate the new policy, and then click its Edit icon.

User Profile Policies

  1. On the Identification tab, click Add identifier.

Add identifier

  1. Search for and select an attribute in the dropdown menu.

Select Attribute

  1. Select Apps and Select + Add an App to This Policy.

Add an App to This Policy

  1. Find the Desktop MFA application and select Close. If there are multiple Desktop MFA applications, they can all be added to this policy.
  1. Click Save.

Recommended content

Still looking for help?
Loading
Windows Desktop MFA Users Unable to Login with FIDO2 Security Keys or Okta Verify Push or TOTP when UseDirectAuth is Enabled