<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AJRcHzCQLOkta Identity EngineOkta Device AccessAnswered2025-02-14T16:37:34.000Z2025-02-13T19:52:12.000Z2025-02-14T16:37:34.000Z

SecN.79290 (Customer) asked a question.

February 13, 2025 at 7:52 PM
Yubikey FIPS 140-2 and DesktopMFA No Prompt After Registry Keys

Using an established Windows desktopMFA app integration, I configured two separate Yubikey 5C's (Non-NFC/bluetooth) with two separate accounts/workstations, but we are not being give the option to use the yukikey for MFA during sign in.

 

Rules have Yubikey as MFA, both workstations have all required registry keys (including AllowedFactors, UserDirectAuth (1)).

 

Coworker was able to add the security key to their Okta Verify desktop app as an offline TOTP and it worked, but no documentation that I have found shows that. So, that's great for that one workstation, but we still cannot take that Yubikey to other workstations and use it with onlinefactor without setting it up as a method in the desktop app of another workstation (assuming we do not have our account loaded on the PC).

  • 3 answers
  • 235 views

  • Paul S. (Okta, Inc.)

    Hello @SecN.79290 (Customer)​ Thank you for posting on our Community page!

     

    If the Yubikey was not properly setup it could cause an issue and not have it prompt as an MFA. Please make sure that all the right steps were done:

    https://help.okta.com/en-us/content/topics/security/mfa/yubikey.htm

     

    Additionally you can also review the System Log to see if you have anything there that could point to the issue.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    The new Okta Help Center YouTube channel is your go-to resource for tips, troubleshooting, and best practice videos. Subscribe today

    Expand Post

  • SecN.79290 (Customer)

    Hey @Paul S. (Okta, Inc.)​ 

     

    We have followed both the Okta and Yubico docs pertaining to configuring our Yubikey 5C (non-NFC) keys. Uploaded the seed files to Okta tenant, assigned keys to users, added the additional registry keys included in the documentation for "allowed factors" and "directauth." Configured the rules in the tenant around the desktop MFA application to include Yubikey, but still - when a user signs in and is prompted by Okta, and they choose "try another way" - the yubikey is not an option.

     

    Additionally, the key to the workstation Okta Verify application as an offline TOTP. But there is still no option for "online" authentication using the key.

     

    Your assistance is greatly appreciated, Paul! Thanks.

    Expand Post

    • Paul S. (Okta, Inc.)

      Hello @SecN.79290 (Customer)​  I would recommend to open a case with Support, as this requires additional investigation, and a technical engineer would be able to have access to additional tools to get to the bottom of this.

       

      Thank you for reaching out to our Community and have a great day!

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      The new Okta Help Center YouTube channel is your go-to resource for tips, troubleshooting, and best practice videos. Subscribe today

      Expand Post
This question is closed.
Loading
Yubikey FIPS 140-2 and DesktopMFA No Prompt After Registry Keys