Google Authenticator MFA Verification

[itbharsh]

We have users with Help Desk, Read Only and Report Administrator roles in our Okta tenant and they can use Rockstar to verify Okta Verify Push & Code MFA factors as well as SMS code MFA factor but whey they try to verify Google Authenticator the code is sent but when the admin enters the code they get an error in Rockstar that says they do not have the proper permission. I figured out that if I granted these users "Group Administrator" role for the entire org this fixed the issue but that is not a role I wish our Help Desk staff to have.

I opened a case with Okta Support (Case 01500916) and they dug into this after having me send them a screenshot of the error along with the HAR file that captured activity when the error occurred. Okta is now saying that this is an issue with Rockstar and not with Okta and that I needed to bring this issue up with you if I wanted it addressed. I'm not saying they are wrong but it seems strange that a permissions issue would be a plugin issue. I've asked Okta to provide guidance on if there is a MFA verification API that I could try outside of Rockstar to see if I can reproduce the issue or not.

We would appreciate any help you can offer on this matter as our Help Desk leverages MFA verification to help with identify proofing when someone calls in reporting issues. We really like Rockstar and all features that it offers!

**On a related topic, any idea when you might add in MFA verification for Yubikey to Rockstar?

[gabrielsroka]

I use super admin. Fewer permissions might not work.

If it works as super admin, but doesn't work if you have fewer permissions, there's probably nothing I can do. But check the docs and try it yourself.

The rockstar source code: https://github.com/gabrielsroka/gabrielsroka.github.io/blob/master/rockstar/rockstar.js#L202-L219

etc.

API docs: https://developer.okta.com/docs/reference/api/factors

Yubikey

it's not supported by the API, or not for another user (only for the same user). it depends whether it's Yubikey OTP or Webauthn. please check the docs.

[gabrielsroka]

Google Authenticator the code is sent

Google Authenticator doesn't send anything. The code changes every 30 seconds.

[pro4tlzz]

@itbharsh I would push back to Okta.

If the /api/v1/users/$userId/factors/$factorId/verify endpoint works for Okta Verify and and SMS (as a helpdesk admin) but not for Google OTP then it sounds like Okta missed out a permission on their backend API factor schema

[itbharsh]

@gabrielsroka Thanks for the fast response! You are correct in that Google Authenticator does not send a code rather the code is already on the device. Also you don't need to be a Super Admin to get the Google Authenticator verification via Rockstar to work rather you just need to have the "Group Administrator" role for the entire org. I'm guessing that there might be just one app you need this role for rather than the entire org but I'm not sure what one it is yet.

@gabrielsroka & @pro4tlzz thank you both for API information. I was able to reproduce the issue outside of Rockstar using the Okta API and have sent the results back to Okta Support. I'll follow up once I get their response.

Thanks again and keep up the good work with Rockstar! WE ARE BIG FANS!!!

[itbharsh]

Okta has fixed this issue. Thanks for your help!