Google Authenticator (MFA)
To sign in, end users must start the Google Authenticator app on their mobile device to generate a six-digit code they use to sign into your org. The numbers are generated using the industry standard Time-Based One-Time Password Algorithm. The allowable clock skew is two minutes. After five unsuccessful attempts, regardless of the time between the attempts, the user account is locked and must be reset by an administrator.
Configure Google Authenticator
The first time users sign into their orgs after you configure this factor, they see the Extra verification is required for your account page and must perform the following steps:
- Click the Setup button.
- Select your mobile device, follow the instructions to download and install Google Authenticator, and then click Next.
Configure Google Authenticator to link it to your Okta account. You can scan a QR code or manually enter the code.
If you scan a QR code, click Next. The pass code generator screen appears and generates pass codes to use when prompted for extra verification. You have 30 seconds to enter the pass code before it generates a new one.
To configure an account manually, perform the following steps:
- On your phone, start Google Authenticator and tap the + icon.
- In the username field, enter your Okta username (for example, firstname.lastname@example.org).
- On your computer, click the Can’t scan link so that you can access the secret key and enter it in the Key field.
- Click Done.
The pass code generator screen appears and generates pass codes to use when prompted for extra verification. You have 30 seconds to enter the pass code before it generates a new one.
Google Authenticator app
After you install and configure Google Authenticator, click on the app and use the six-digit number to authenticate when prompted.
Revoke or reconfigure the Google Authenticator app
You can remove Google Authenticator as a factor by unchecking it in the factors list. To reconfigure it, remove it, and then add it back in.