Support for 3-number challenge when Okta Verify mobile app forces extra verification

[SmithTM90]

Is your feature request related to a problem? Please describe. When attempting to use aws_okta_keyman, Okta Verify for Android determines that it is an "unusual" login attempt, and forces an additional layer of verification with the 3-number challenge. Unfortunately, this prevents further use of aws_okta_keyman

Describe the solution you'd like The CLI tool should be able to integrate with this 3-number challenge verification step, and report back the correct number to select in the Okta Verify mobile app so that users can get past this stage and be able to use aws_okta_keyman successfully when additional verification is required.

[nathan-v]

Hi @SmithTM90 I've never seen that issue or case. Do you have an Okta setting that causes this?

[jasonmfehr]

Hi @nathan-v we have this issue too. If Okta detects something amiss with the login attempt, it does an additional challenge. It could be a setting that our org uses, I am not sure though. The way we can cause the three number challenge to happen is by connecting to a VPN that routes outbound internet through a distant city.

[nathan-v]

If someone knows the setting required to cause this I can set it up in a test Okta to try and replicate. I'd love to be able to support this.

[krichter]

@nathan-v - I believe it's this setting: https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-okta-verify-options.htm

[andre-nguyen]

For some reason (maybe my org put these settings?) I'm getting the 3 number challenge all the time. Any way around this?

[Pashtetollo]

I created PR that fixes the issue for me by pulling the needed number from request status once the Okta issues 3-number challenge, couldn't find any Okta documentation for how to retrieve number challenge answer for this authentication method so just implemented solution by debugging the process. Feel free to rewrite or update it it as needed.

[andre-nguyen]

Alternatively, I've been pointed to this https://github.com/Nike-Inc/gimme-aws-creds which seems to work for me. Not clear if this is org dependent though.