Desktop MFA for macOS

Desktop MFA for macOS adds an extra layer of security to the macOS sign-in process by asking users for other authentication factors before allowing computer access.

Configure Desktop MFA in the Admin Console and then deploy it through your mobile device management (MDM) solution. This pushes a single, packaged installer to desktop computers. The user experience depends on which options you enable and how you configure your org authentication policies.

After you have configured and deployed Desktop MFA for macOS, it prompts users to set up one or more authentication methods to verify their identity. Users must configure at least one authentication method within the configurable sign-in limit. If the user goes over the limit, they're locked out of the computer and admin intervention is required to regain access.

Link accounts

Account linking for Okta Desktop MFA on macOS creates a secure and streamlined sign-in experience by integrating macOS authentication with the identity management and MFA capabilities of Okta.

When you set up Desktop MFA for macOS, Okta links the user's local macOS user account with their Okta identity. The primary goal of account linking is to unify the authentication experience. Instead of maintaining separate passwords for their local computer and Okta accounts, users can sign in using their Okta username, password, and an MFA factor like Okta Verify Push, Okta Verify TOTP, or a FIDO2 key.

See Link an end user account to macOS.

Tasks

• Create and configure the Desktop MFA app

• Download Okta Verify for macOS

• Configure and deploy Desktop MFA policies

• Link an end user account to macOS

• Optional. Enable Desktop MFA recovery

• Optional. Enforce number challenge for Desktop MFA

• Optional. Configure Desktop MFA for macOS to use FIDO2 keys

• Support your Desktop MFA users