Employees expect secure, seamless access to the apps and tools that power their work, wherever they are and whenever they need them. But one thing is clear: traditional single sign-on (SSO) and multi-factor authentication (MFA) alone aren’t enough. Not only are users frustrated with repeated authentication prompts, but these standard defenses may also fail to protect against more sophisticated identity-based attacks.
While widespread SSO adoption has significantly improved workforce productivity and user experience, it has also created a single, high-value asset, the persistent session token or cookie, which can be leveraged to bypass MFA. According to the 2025 SpyCloud Identity Exposure Report, around 17.3 billion session cookies were stolen from malware-infected devices in 2024. How can organizations protect against session replay and reduce login friction for their workforce?
At Okta, we believe identity security should empower IT and security teams to protect all login touchpoints without compromising productivity or agility. That’s why Okta has long prioritized delivering the deepest device integrations with major platforms and investing meaningfully in device access.
Now, we are excited to announce the next evolution of Okta Device Access, introducing a new way to harness your devices to redefine how you protect applications. Device-Bound Single Sign-On (SSO) delivers session replay protection and a streamlined login experience, helping users securely get where they need to go.
A secure start with hardware-protected SSO
Device-Bound SSO, a new feature under Okta Device Access, initiates a hardware-protected SSO session for seamless access to your downstream apps after device login. Unlike traditional SSO, this feature reduces authentication prompts while minimizing the risk of Okta SSO session replay. You gain defense-in-depth security that ties application access to trusted user and device identities.
With Device-Bound Single Sign-On, SSO can start when you’re first verified at device login, shifting security to the earliest access point and ensuring trust begins with the device itself. This means you can leverage a successfully completed device login with Okta Device Access to gain access to downstream resources requiring the same level of security assurance. Not only does this decrease how often you are asked to authenticate, reducing the entry points for threat actors, but it also initiates a hardware-protected and cryptographically secure session, which helps make identity-based attacks much less possible. This is because access is tied not only to the user but also to their device, so if a threat actor is able to steal an active Okta SSO session, they won’t be able to leverage it from a different device.
Okta Device Access brings the best of Okta’s simple, secure authentication experience to the point of device login for Windows and macOS computers. And now with Device-Bound SSO, users can securely access their work resources simply by signing in to their Okta-joined devices, enabling them to get to work safer and faster.
Configure your devices to be joined to Okta
Device-Bound SSO is available to all Okta-joined devices. By joining your devices to Okta, you can take advantage of a modern, unified authentication experience from devices to apps.
An Okta-joined device is simply a device that is registered directly with Okta and becomes part of your organization’s trusted identity security fabric. The device isn’t just a piece of hardware anymore; it’s recognized and secured as a first-class identity. In other words, Okta handles access management requirements on that device as the unified authentication layer and directory for user and device identities, working in partnership with your device management solution and ecosystem of tools.
For the workforce, this facilitates a smoother start to the workday: sign in once with the device and seamlessly access Okta-protected apps. For IT and security teams, it turns each login into a handshake of trust between the user, device, and organization, closing the gaps of fragmented identity by binding the device itself to your security posture while making it easier to protect data and keep the workforce moving.
Organizations can join a device to Okta that’s already joined to Active Directory or Entra ID and be in a hybrid Okta-joined state. In either case, organizations gain a secure and modern experience with key identity security outcomes such as:
- The device is registered in Okta Universal Directory, and operating system (OS) profiles can be linked to a primary Okta user
- Authentications on the device are secured by a device session that is hardware-protected (i.e., to enable Device-Bound SSO, the device must be Okta-joined)
- During authentication, Okta will attest that the user is accessing a protected resource from an Okta-joined device
As Okta Device Access continues to introduce additional features and capabilities, an Okta-joined device will be best positioned to take advantage of protection that starts at the very first login, helping to turn your device into a trusted gateway.
How to learn more
Okta Device Access delivers a modern, unified authentication experience on Okta-joined devices, helping people get to work safer and faster. By verifying trust at the very first login, security begins with the device itself, hardening protection while streamlining the path to downstream resources.
Device-Bound SSO is now available for self-service Early Access. Support is available for both Windows and macOS devices. To learn more about Device-Bound SSO, take a look at the product documentation.
