Add Login MFA support for Okta TOTP

[cognifloyd]

Is your feature request related to a problem? Please describe. I need to require MFA (on login) for all my users using Okta as the Idp and without enabling Okta push verification.

My organization prohibits the use of Okta Push, but Okta Login MFA only supports push verification, so I can't use Login MFA as it is today.

Describe the solution you'd like Add Support for Okta's TOTP factors to Login MFA, similar to the how Duo Login MFA supports both push and passcodes.

Describe alternatives you've considered

1. Okta Auth method: The Okta Auth method has partial support for using TOTP, but only if using the CLI to login; The UI does not support Okta TOTP with the Okta Auth method. So, I can't use the Okta Auth method to enable MFA.
2. Okta via OIDC Auth method: I tried to use the OIDC auth method, but OIDC limits logins to machines with a browser. So, I cannot login with OIDC on the CLI of a remote VM.
3. Login MFA w/ builtin TOTP method: I have to support several vault clusters, so requiring all users to setup the TOTP method for each Vault cluster is onerous and error prone.

Explain any additional use-cases My users must use MFA when logging into vault, whether they are logging in locally (via UI or CLI) or remotely (via CLI). My company uses Okta as our Idp and for MFA.

Additional context PR submitted: #24563

Also backported on top of these release branches, under the branch's license. If HashiCorp wants to use one of the backport branches, that's fine, but I don't expect this to be released until 1.16.x.

• release/1.12.x: backport/loginmfa-okta-totp/1.12.x (MPL 2.0)
• release/1.13.x: backport/loginmfa-okta-totp/1.13.x (MPL 2.0)
• release/1.14.x: backport/loginmfa-okta-totp/1.14.x (MPL 2.0)
• release/1.15.x: backport/loginmfa-okta-totp/1.15.x (BUSL 1.1)

[cognifloyd]

Related issue: #22961

22961 is about supporting more TOTP factor types in the Okta Auth backend. This issue is about supporting Okta TOTP via Login MFA.