The allowable clock skew is two minutes, meaning that Google Authenticator tolerates the clock in end user devices being ± 2 minutes different from the clock in the appFor this reason, we recommend using Token2 hardware tokens with unrestricted time sync (otherwise you will have to reprovision the tokens every 2-3 years).
Before you can continue with provisioning the tokens, the feature has to be enabled as described below:
Enable Google Authenticator in Admin Console
The provisioning process described below is done on behalf of the end user. Here are the requirements:
Follow the steps below to start the process
In the web browser on your computer sign in to Okta or an Okta-protected resource, enter your credentials and then click Next.
On the Set up multifactor authentication screen, click Setup.
Select your device type, and then click Next.
Don’t click Next in the browser yet.
On your mobile device, launch the NFC Burner app.
Tap Scan a QR on the burner app and then point your camera at the QR code displayed in the browser on your computer. Your device camera scans the QR code automatically.
Click on "Burn Seed" button
Then, push the button on the token and hold it close to the NFC antenna of your device. Click on "connect" (optional: newer versions of the apps should connect to the token automatically), then "burn seed" button. The app should show "burn seed process succeeded" message if the process is successfully completed.
In the web browser on your computer, click Next.
Turn the hardware token off and on, and, in the Enter Code field, enter the OTP value shown on the hardware token device
Click Verify.
Please note that after five unsuccessful authentication attempts, regardless of the time between the attempts, the user account is locked and must be reset by an administrator.