If your organization requires the use of a second authentication method at the macOS login window, you can create an additional application in Okta to enforce this setting. The configuration will include:
- An application registration with a Sign On Policy (via Okta Classic Engine) or an Authentication Policy (via Okta Identity Engine) that requires the use of a password and an additional supported authentication factor at the macOS login window.
An application registration with a Sign On Policy (via Okta Classic Engine) or an Authentication Policy (via Okta Identity Engine) that requires only a password for periodic background checks comparing the macOS local user account password with the current Okta account password.
Due to limitations in macOS, hardware authenticators are unavailable at the login window. The only exception to this is a YubiKey in hardware one-time password mode. To verify which authenticators are enabled in Okta, navigate to the Security tab in your Okta Admin Console. For Okta Classic Engine, click Multifactor, and for Okta Identity Engine, click Authenticators.
User may be presented with incompatible authentication options at the macOS login window. Users should be notified that options such as Okta FastPass and hardware authenticators are unavailable at the login window.