Google Authenticator (MFA)

Google Authenticator is an app that provides a Time-based One-time Password (TOTP) as a second factor of authentication to users who sign in to environments where multifactor authentication (MFA) is required.

Admins add Google Authenticator to the list of accepted factors in Okta. Then, users who select it to authenticate are prompted to enter the time-based, six-digit code they see in the Google Authenticator app in Okta.

Add Google Authenticator as a factor

  1. In the Admin Console, go to SecurityMultifactor.
  2. In Factor Types, click Google Authenticator.
  3. Click Inactive in the upper right and then select Activate.
  4. Enroll Google Authenticator in a multifactor policy.

Enroll Google Authenticator in a multifactor policy

  1. In the Admin Console, go to SecurityMultifactor.
  2. On the Factor Enrollment tab, add a new or edit an existing multifactor policy.

Add a policy

  1. Click Add Multifactor Policy.
  2. Enter a name.
  3. Assign to groups.
  4. Set Google Authenticator to Optional or Required.
  5. Click Create Policy.
  6. To add one or more rules to the policy, see Configure an MFA enrollment policy.

Edit a policy

  1. Select the policy that you want to edit, and then click Edit.
  2. In Effective factors, set Google Authenticator to Optional or Required.
  3. Click Update Policy.
  4. To add one or more rules to the policy, see Configure an MFA enrollment policy.

End-user experience

  1. Go to the Apple App Store or the Google Play Store and install Google Authenticator on your device.
  2. In the web browser on your computer: When signing in to Okta or accessing an Okta-protected resource, enter your credentials and then click Next.
  3. On the Setup security authenticators page, click Set up.
  4. Select your device type, and then click Next.
  5. Perform the QR code scanning steps that apply to you:

    If your device can scan QR codes:

    1. Don't click Next in the browser yet; instead, on your mobile device, launch Google Authenticator.
    2. In Google Authenticator, tap the + sign.
    3. Tap Scan a QR code and then point your camera at the QR code displayed in the browser on your computer. Your device camera scans the QR code automatically.
    4. In the web browser on your computer, click Next.
    5. In the Enter Code field, enter the setup key shown in Google Authenticator on your mobile device.
    6. Click Verify.

    If your device can't scan QR codes:

    1. Don't click Next in the browser yet.
    2. In the web browser on your computer, click Can't scan.
    3. In the field above the Next button, make a note of the string of numbers and letters.
    4. On your mobile device, launch Google Authenticator.
    5. Tap the + sign.
    6. Tap Enter a setup key.
    7. In the Account field, enter your Okta username.
    8. In the Key field, enter the string of numbers and letters that you made a note of earlier.
    9. Tap Add. The message Secret saved appears.
    10. In the web browser on your computer, click Next.
    11. In the Enter Code field, enter the setup key shown in Google Authenticator on your mobile device.
    12. Click Verify.

Important considerations

  • The time on the end user's device might not be the same as the time on the clock in the Google Authenticator app. The Google Authenticator app allows a time difference on the end-user device of up to two minutes earlier or later than the time in the Google Authenticator app.

  • After five unsuccessful authentication attempts, regardless of the time between the attempts, the user account is locked and the admin must reset it.

Related topics

Configure an MFA enrollment policy