My firm is working to utilize Okta as the authenticator for our custom application. Part of this work is migrating user credentials from the custom app’s db to Okta. Unfortunately, our passwords use a Hash algorithm not supported by Okta so there’s no way to bulk-migrate these into Okta. We can, of course leverage tools like the Password Inline Hook to JIT-authenticate and resolve passwords, but we have millions of users with very sporadic logon activity, so that would mean maintaining credentials in the custom app and the Password Inline Hook essentially forever. For business reasons, we don’t want to just cut bait and delete rarely used credentials from our system. So we’re faced with figuring out how to get users into Okta, without their passwords and not block them from accessing our app.
One approach we’re considering is that we’d migrate credentials to Okta, without passwords. We’d enroll these users in SmsPhone Factor (we already have verified SmsPhone numbers in the custom app). Then when one of these users attempts to logon, they can execute the Okta Forgot Password flow, get an SmsCode to authenticate themselves, receive a Password Reset email, and choose a new Password.
The problem we’re seeing with this approach is that when enrolling a user in SmsPhone Factor, Okta will immediately send a OTP to the SmsPhone to verify it. So, if we attempt to bulk-migrate SmsPhones, our users would all get sent an unexpected OTP to be verified, which they could not verify since they have no way to log on to the system yet, because we don’t have their passwords yet.
Looking to see whether any in the community have solved this problem of importing SmsPhone Factors or come up with a different approach for migrating users whose passwords are unavailable without having to maintain those passwords in the original system for an indeterminate period of time.