Google Authenticator (MFA)

Google Authenticator is an app that provides a Time-based One-time Password (TOTP) as a second factor of authentication to users who sign in to environments where multifactor authentication (MFA) is required.

In Okta, admins add Google Authenticator to the list of accepted factors. Then, users who select it to authenticate are prompted to enter the time-based, six-digit code they see in the Google Authenticator app in Okta.

Add Google Authenticator as a factor

  1. In the Admin Console, go to Security > Multifactor.
  2. In Factor Types, click Google Authenticator.
  3. Click Inactive in the upper right and then select Activate.
  4. Enroll Google Authenticator in a multifactor policy.

Enroll Google Authenticator in a multifactor policy

  1. In the Admin Console, go to Security > Multifactor.
  2. On the Factor Enrollment tab, add a new or edit an existing multifactor policy.

Add a policy

  1. Click Add Multifactor Policy.
  2. Enter a name.
  3. Assign to groups.
  4. Set Google Authenticator to Optional or Required.
  5. Click Create Policy.
  6. To add one or more rules to the policy, see Configure an MFA enrollment policy rule.

Edit a policy

  1. Select the policy you want to edit, and then click Edit.
  2. In Effective factors, set Google Authenticator to Optional or Required.
  3. Click Update Policy.
  4. To add one or more rules to the policy, see Configure an MFA enrollment policy rule.

End-user experience

  1. Go to the Apple App Store or the Google Play Store and install Google Authenticator on your device.
  2. In the web browser on your computer: When signing in to Okta or accessing an Okta-protected resource, enter your credentials and then click Next.
  3. On the Setup security authenticators screen, click Set up.
  4. Select your device type, and then click Next.
  5. Perform the QR code scanning steps that apply to you:

    If your device supports scanning the QR code:

    1. Don’t click Next in the browser yet; instead, on your mobile device, launch Google Authenticator.
    2. In Google Authenticator, tap the + sign.
    3. Tap Scan a QR code and then point your camera at the QR code displayed in the browser on your computer. Your device camera scans the QR code automatically.
    4. In the web browser on your computer, click Next.
    5. In the Enter Code field, enter the setup key shown in Google Authenticator on your mobile device.
    6. Click Verify.

    If you can’t scan the QR code:

    1. Don’t click Next in the browser yet.
    2. In the web browser on your computer, click Can’t scan.
    3. In the field above the Next button, make a note of the string of numbers and letters.
    4. On your mobile device, launch Google Authenticator.
    5. Tap the + sign.
    6. Tap Enter a setup key.
    7. In the Account field, enter your Okta username.
    8. In the Key field, enter the string of numbers and letters that you made a note of earlier.
    9. Tap Add. The message Secret saved appears.
    10. In the web browser on your computer, click Next.
    11. In the Enter Code field, enter the setup key shown in Google Authenticator on your mobile device.
    12. Click Verify.

Important considerations

  • The allowable clock skew is two minutes, meaning that Google Authenticator tolerates the clock in end user devices being ± 2 minutes different from the clock in the app.

  • After five unsuccessful authentication attempts, regardless of the time between the attempts, the user account is locked and must be reset by an administrator.