Instructions for

On this page

Google Authenticator integration guide

Identity Engine

This guide shows you how to integrate Google Authenticator into your authentication use cases using the embedded SDK.


Learning outcomes

  • Understand the Google Authenticator flow.
  • Learn step-by-step how to integrate Google Authenticator into your authentication use case

What you need

Sample code


The reason to choose Google Authenticator

Google Authenticator is an authenticator app developed by Google used to verify the identity of a user. The app is often used in conjunction with a password to strengthen user accounts from security attacks. It's considered more secure than other additional authenticators such as SMS since it's resistant to SIM swap attacks. It doesn't require a cellular or Wifi network to use and setup can be as easy as a snapshot of a QR Code.

Authentication flow

After a user is enrolled in Google Authenticator, they are challenged by the service provider (for example, a website) to provide a Time-based One-Time Password (TOTP) during authentication. Google Authenticator generates the TOTP, which is submitted by the user to the service provider for verification. The service provider independently generates the password and validates that the submitted password is identical to the generated one.

A shared key linking the Google Authenticator app and service provider allows for both entities to generate the same password. This shared key is initially generated by the service provider and added to the app during enrollment.

As the service provider, you can provide Google Authenticator support to your users by enabling it in your Okta org and building out support for it in your application using the Embedded SDK.

The following diagram illustrates how the Google Authenticator enrollment and challenge flows can work in your application.

Diagram showing the Google Authenticator enrollment flow

Update configurations

Before you can start using Google Authenticator, create an Okta org application as described in

. Then add Google Authenticator to your app integration by executing the following steps:

Add Google Authenticator to your org

First, add Google Authenticator to your org and enable it.

  1. Open the Admin Console for your org.
  2. Choose Security > Authenticators to show the available authenticators.
  3. If the Google Authenticator isn't in the list:
    1. Click Add Authenticator.
    2. Click Add on the Google Authenticator tile, and then click Add in the next dialog.
  4. Select the Enrollment tab.
  5. Check that Google Authenticator is set to either Optional or Required in the Eligible Authenticators section of the Default Policy.
    1. If Google Authenticator is set to Disabled, click Edit for the Default Policy
    2. Select Optional from the drop-down box for the Google Authenticator, and then click Update Policy.

Set your app integration to use Google Authenticator

New apps are automatically assigned the shared default authentication policy (opens new window). This policy has a catch-all rule that allows a user access to the app using either one or two factors, depending on your org setup. In production, it becomes evident when you can share your authentication needs between apps. In testing, it's recommended that you create a new policy specifically for your app.

  1. Open the Admin Console for your org.

  2. Choose Security > Authentication Policies to show the available authentication policies.

  3. Click Add a Policy.

  4. Give the policy a name, and then click Save.

  5. Locate the Catch-all Rule of the new policy and select Actions > Edit.

  6. Select Allowed after successful authentication.

  7. Set User must authenticate with to Password + Another factor.

  8. For Possession factor constraints

    1. Verify that Device Bound is selected.
    2. Verify that Google Authenticator is listed in the box under Additional factor types. If it is not listed, check the authenticator has been enabled using steps 4 and 5 of Add Google Authenticator to your org.
    3. Click Save.
  9. Select the Applications tab for your newly created policy, and then click Add App.

  10. Find your app in the list and click Add next to it.

  11. Click Close.

  12. Verify that the app is now listed in the Applications tab of the new policy.

Install Google Authenticator

Install the Google Authenticator app on your mobile device either using either the Google Play Store (Android) or Apple App Store (iOS).

Integrate SDK for authenticator enrollment

Summary of steps

The following summarizes the Google Authenticator enrollment flow using a user sign-in use case.

Integrate SDK for authenticator challenge

Summary of steps

The following summarizes the Google Authenticator challenge flow using a user sign-in use case.

See also