Troubleshoot Desktop MFA for Windows

To troubleshoot Desktop MFA for Windows, ensure you meet the Prerequisites.

Sign-in issues

If a user exceeds the sign-in limit (default limit: 50) for setting up an offline sign-in method, the user can no longer sign in to Windows. The user receives a message stating "Your organization requires an offline method to verify your identity. You don't have an offline method set up. An administrator must update your machine." You can add a message with administrator contact details by editing the AdminContactInfo registry key. See Configure Desktop MFA policies.

To resolve the problem, consider these options:

  • Change the MfaRequiredList policy using your MDM solution or Group Policy:

    • Remove the user from the list, or set the list to empty.

    • Push the setting to the user’s computer.

    • Ask the user to reboot for the new group policy to take effect and to update the registry.

  • Reset the counters, or remove the entry for the affected user. Users' sign-in attempts are tracked in HKLM\Software\Okta\Okta Device Access\User Policies\<upn username>. The User Principal Name (UPN) doesn't include the domain suffix. If the UPN is user@domain.com, the registry key path is HKLM\Software\Okta\Okta Device Access\User Policies\user@domain. In the user-specific registry key, there are sign-in counters: LoginsWithOfflineFactorCounter and LoginsWithoutEnrolledFactorsCounter. Remove the registry key for the affected user (in the current example, HKLM\Software\Okta\Okta Device Access\User Policies\user@domain, or set the sign-in counters to zero, or both. After a user has successfully signed in with an online authentication method, the LoginsWithOfflineFactorCounter is reset to 0.

  • When a user’s LoginsWithOfflineFactorCounter number is greater than the value set in MaxLoginsWithOfflineFactor, the user can't sign in with an offline method. Reset this value to 0 to allow the user to log in with an offline authentication method.

  • If a user has surpassed all sign-in limits, reset the user's LoginsWithoutEnrolledFactorsCounter to zero. This allows the user to sign in without an enrolled authentication method and create the required offline authentication method.

  • To remove all offline enrollments, delete the OktaDeviceAccessData.dat.db file from C:\Windows\System32\config\systemprofile\appdata\local\Okta Device Access. This deletes all offline registrations, and prompts users to enroll their offline authentication methods again.

Device issues

If a user loses their phone or YubiKey and has not yet set up an online method (Okta Verify push or OTP), the user can't access their computer even if they're within the sign-in limit. To resolve the problem, consider these options:

  • Change the MfaRequiredList policy using your MDM solution or Group Policy:

    1. Remove the user from the list, or set the list to empty.

    2. Push the setting to the user’s computer.

    3. Ask the user to reboot for the new group policy to take effect and to update the registry.

  • Reset the user’s online authentication method, then ask the user to enroll a new online method.

If the username associated with a user changes, Okta Verify considers it a new user and the existing offline factors don't work. Have the user enroll their offline methods again to gain offline access using Desktop MFA.

Other issues

  • Okta FastPassand WebAuthn sign-in methods aren’t supported.

  • Number challenge doesn't work with Desktop MFA.

  • Desktop MFA logs are stored locally on the user's desktop computer at C:\Windows\System32\config\systemprofile\AppData\Local\Okta Device Access\Logs

  • After installation, users may see two instances of Okta Verify in the installed programs list.

  • It's not possible to downgrade Okta Verify at this time.

  • Running the Okta Verify installer a second time with command-line parameters doesn't change the registry key parameters. To change Okta Verify parameters, use PowerShell to update key values.