Google Authenticator
Google Authenticator provides a Time-based One-time Password (TOTP) that enables users to authenticate themselves in Okta.
Admins add Google Authenticator to the list of accepted authenticators in Okta. Then, users who select it to authenticate are prompted to enter the time-based, six-digit code they see in the Google Authenticator app in Okta.
Okta enforces a rate limit on unsuccessful authentication attempts from Okta-enrolled third-party OTP authenticators. These authenticators include Google Authenticator, Symantec VIP, and YubiKey OTP. The rate limit is a total of five unsuccessful attempts from any or all of these authenticators within a rolling five-minute period. When a user exceeds the rate limit, they can’t sign in until the rate limit passes. These attempts are registered in the System Log.
The Google Authenticator app allows a time difference on the end-user device of up to two minutes earlier or later than the time in the Google Authenticator app.
This authenticator is a possession factor, fulfills the requirements for user presence, and is device-bound. See Multifactor authentication.
Add the Google Authenticator
-
In the Admin Console, go to .
-
On the Setup tab, click Add Authenticator.
-
Click Add on the authenticator tile.
Add the Google Authenticator to the authenticator enrollment policy
-
In the Admin Console, go to .
- Click the Enrollment tab.
- Add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.
Edit or delete the Google Authenticator
Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.
- In Authenticators, go to the Setup tab.
- Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.
End-user experience
End users must install the Google Authenticator app on their mobile device and add an account to it for their Okta org. See Get verification codes with Google Authenticator.