Google Authenticator

Google Authenticator is an app that provides a Time-based One-time Password (TOTP) as a second factor of authentication to users who sign in to environments where multifactor authentication (MFA) is required.

In Okta, admins add Google Authenticator to the list of accepted authenticators. Then, users who select it to authenticate are prompted to enter the time-based, six-digit code they see in the Google Authenticator app in Okta.

Activate Google Authenticator as an Okta authenticator

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the Google Authenticator tile and again in the details screen.
  4. Enroll Google Authenticator in a multifactor policy.

Enroll Google Authenticator in an MFA enrollment policy

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Enrollment tab, add a new or edit an existing MFA enrollment policy.

Add a policy

  1. Click Add Multifactor Policy.
  2. Enter a name.
  3. Assign to groups.
  4. Set Google Authenticator to Optional or Required.
  5. Click Create Policy.
  6. To add one or more rules to the policy, see Configure an authentication enrollment policy rule.

Edit a policy

  1. Select the policy you want to edit, and then click Edit.
  2. In Effective factors, set Google Authenticator to Optional or Required.
  3. Click Update Policy.
  4. To add one or more rules to the policy, see Configure an authentication enrollment policy rule.

End-user experience

  1. Go to the Apple App Store or the Google Play Store and install Google Authenticator on your device.
  2. In the web browser on your computer: When signing in to Okta or accessing an Okta-protected resource, enter your credentials and then click Next.
  3. On the Setup security authenticators screen, click Set up.
  4. Select your device type, and then click Next.
  5. Perform the QR code scanning steps that apply to you:

    If your device supports scanning the QR code:

    1. Don’t click Next in the browser yet; instead, on your mobile device, launch Google Authenticator.
    2. In Google Authenticator, tap the + sign.
    3. Tap Scan a QR code and then point your camera at the QR code displayed in the browser on your computer. Your device camera scans the QR code automatically.
    4. In the web browser on your computer, click Next.
    5. In the Enter Code field, enter the setup key shown in Google Authenticator on your mobile device.
    6. Click Verify.

    If you can’t scan the QR code:

    1. Don’t click Next in the browser yet.
    2. In the web browser on your computer, click Can’t scan.
    3. In the field above the Next button, make a note of the string of numbers and letters.
    4. On your mobile device, launch Google Authenticator.
    5. Tap the + sign.
    6. Tap Enter a setup key.
    7. In the Account field, enter your Okta username.
    8. In the Key field, enter the string of numbers and letters that you made a note of earlier.
    9. Tap Add. The message Secret saved appears.
    10. In the web browser on your computer, click Next.
    11. In the Enter Code field, enter the setup key shown in Google Authenticator on your mobile device.
    12. Click Verify.

About rate limiting for Google Authenticator

To protect your sensitive corporate resources from unauthorized access, Okta enforces a rate limit of five unsuccessful authentication attempts from Google Authenticator over a rolling five-minute period. If unsuccessful authentications from Google Authenticator exceed the rate limit:

  • Authentication from Google Authenticator isn't allowed until the rate limit passes.
  • Okta returns HTTP status code 429, indicating "too many requests".
  • A message appears on the user interface and is written to the System Log.

Important considerations

  • The time on the end user's device might not be the same as the time on the clock in the Google Authenticator app. To compensate for this, the Google Authenticator app allows a time difference on the end-user device of up to two minutes earlier or later than the time in the Google Authenticator app.

Related topics

Create an authentication enrollment policy

Configure an authentication enrollment policy rule