Google Authenticator (MFA)

You can add Google Authenticator as a multifactor authentication (MFA) option in Okta. When Google Authenticator is enabled as a factor, users who select it to authenticate are prompted to enter a time-based 6-digit code generated by the Google Authenticator app.

Add Google Authenticator as a factor

  1. In the Admin Console, go to Security > Multifactor.
  2. In Factor Types, click Google Authenticator.
  3. Click Inactive in the upper right and then select Activate.

End-user experience

  1. If you haven’t done so already, go to the Apple App Store or Play Store and install Google Authenticator on your device.

  2. In the web browser on your computer: When signing in to Okta or accessing an Okta-protected resource, enter your credentials and then click Next.

  3. On the Set up multifactor authentication screen, click Setup.

  4. Select your device type, and then click Next.

  5. Perform the QR code scanning steps that apply to you:

    If your device supports scanning the QR code:

    1. Don’t click Next in the browser yet.

    2. On your mobile device, launch Google Authenticator.

    3. In Google Authenticator, tap the + sign.

    4. Tap Scan a QR code and then point your camera at the QR code displayed in the browser on your computer. Your device camera scans the QR code automatically.

    5. In the web browser on your computer, click Next.

    6. In the Enter Code field, enter the setup key shown in Google Authenticator on your mobile device.

    7. Click Verify.

    If you can’t scan the QR code:

    1. Don’t click Next in the browser yet.

    2. In the web browser on your computer, click Can’t scan.

    3. In the field above the Next button, make a note of the string of numbers and letters.

    4. On your mobile device, launch Google Authenticator.

    5. Tap the + sign.

    6. Tap Enter a setup key.

    7. In the Account field, enter your Okta username.

    8. In the Key field, enter the string of numbers and letters that you made a note of earlier.

    9. Tap Add. The message Secret saved appears.

    10. In the web browser on your computer, click Next.
    11. In the Enter Code field, enter the setup key shown in Google Authenticator on your mobile device.

    12. Click Verify.

Important considerations

  • The allowable clock skew is two minutes, meaning that Google Authenticator tolerates the clock in end user devices being ± 2 minutes different from the clock in the app.

  • After five unsuccessful authentication attempts, regardless of the time between the attempts, the user account is locked and must be reset by an administrator.