Okta Verify can be set up to use your phone’s authenticator app functionality for Multi-Factor Authentication (MFA), generating time-based one-time passwords (TOTP) directly on your device.
Let’s see this in action. Imagine you’re logging into a service protected by Okta. After entering your username and password, Okta prompts you for your second factor. Instead of a push notification or an SMS code, you’ll see a prompt for a code. You then open your authenticator app (like Google Authenticator, Authy, or even Okta Verify itself if configured for TOTP) on your phone, find the code for your Okta account, and enter that six-digit number into the Okta login screen.
Here’s how it works under the hood. When you enroll an authenticator app for MFA with Okta, Okta generates a secret key. This secret key is shared securely with your authenticator app – typically by scanning a QR code or entering a text-based key. Both Okta’s server and your authenticator app use this shared secret key along with the current time to independently generate the same sequence of 6-digit codes. These codes change every 30-60 seconds, hence "time-based." When you enter a code, Okta checks if the code it generated for that time window matches the one you provided.
The primary problem this solves is providing a highly secure, phishing-resistant second factor that doesn’t rely on potentially vulnerable SMS delivery or require a constant internet connection for push notifications (once the app is set up). It’s a robust, widely adopted standard for MFA.
To configure this, an Okta administrator first needs to enable the "Authenticator" enrollment policy for your Okta organization. This is usually done under Security > Authenticators. Within the "Authenticator" settings, you’d ensure "Authenticator app" is enabled and has a priority.
Once enabled at the org level, individual users can enroll their authenticator app during their Okta sign-in flow. When prompted for MFA, they’ll see an option to "Set up authenticator app." Clicking this will present a QR code. They then open their chosen authenticator app on their smartphone, select "Add Account" or a similar option, and scan the QR code. The app will then start generating the TOTP codes.
Here’s a typical setup flow you might see as an end-user:
- Log in to Okta: Navigate to your organization’s Okta portal and enter your username and password.
- MFA Prompt: You’ll be prompted for your second factor. If you haven’t set up an authenticator app yet, you’ll see options like "Set up authenticator app."
- Select "Authenticator App": Choose this option.
- Scan QR Code: Okta displays a QR code. Open your preferred authenticator app (e.g., Google Authenticator, Authy) on your phone, tap the '+' icon, and choose "Scan QR code."
- App Adds Account: Your phone’s camera will scan the QR code, and your authenticator app will automatically add your Okta account and begin displaying a 6-digit code.
- Verify Setup: Back in the Okta setup screen, you’ll be asked to enter the current code displayed in your authenticator app to confirm the enrollment.
- Enrollment Complete: Once verified, the authenticator app is successfully linked for MFA.
The crucial piece of information for administrators is that the "Authenticator App" feature in Okta leverages the TOTP standard (RFC 6238). This means it’s interoperable with many third-party authenticator applications, not just Okta Verify’s own TOTP functionality. You can configure your Okta organization to allow users to enroll any TOTP-compliant app.
The next step in securing your accounts involves understanding how to manage and recover access if you lose your authenticator device.