Master code option in MFA API?


  1. Angus logs in website with his username and password.
  2. He sees the screen asking for code from Google Authenticator.
  3. He unlocks the phone and opens Google Authenticator.
  4. He finds out the Google Authenticator is not working and does not display the auth code for some reason.
  5. Alternatively, he enters the master code he got when setting up 2FA.
  6. He logs in successfully.

Does OKTA MFA API give the user a master code when user sign up for MFA?

Google Authenticator is a standards-based implementation of TOTP. When enrolling the factor, a “shared secret” is generated by Okta and stored in Google Authenticator as part of the enrollment process (e.g. scanning QR code or manually creating a new entry). Okta asks you to complete a TOTP challenge as part of the enrollment process to make sure you the end-user has successfully configured their authenticator.

You can only obtain the “shared secret” during factor enrollment.