× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

[How To] Configure the Google Authenticator as a mechanism for MFA

[How To] Configure the Google Authenticator as a mechanism for MFA

By Centrify Contributor III ‎03-23-2017 12:54 PM

Configuring Centrify to use the Google Authenticator to satisfy MFA challenges is a good way to give users another authentication factor. The set up is easy for end users once all of the policies are configured from an Centrify Identity Platform Administrator.


 To get started, log in to your Admin Portal and click on the Policies tab. Click the Add Policy Set button and give the policy a Name, like OATH Policy. Apply the policy to all users and devices or a specific role of users. On the left hand side, select Policy Settings > User Security Policies > OATH OTP. Click the drop down and select Yes to Allow OATH OTP integration. Also, select Yes to Show QR code for self-service and click Save.


OATH OTP Policy.png


 Next, go to an application policy or any other policy that is set to require MFA. I will demonstrate using my environment's Salesforce SAML application. From the Policy tab, scroll dow to the Default Profile (used if no conditions matched) and click the drop down. Choose Add New Profile from the drop down.  


Add New Profile.png


 Set the Profile Name to “OATH MFA Challenge”. For Challenge 1, check the box for OATH OTP Client.


OATH MFA Challenge.png



Press OK and then Save.


Now log in to the User Portal with an end user's account that will be required to authenticate using MFA. Click on the Account tab and click the Show QR Code button under OATH OTP Client. 


Show QR Code.png


On your mobile device, install the Google Authenticator application: 


Android - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en  


iOS - https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8


Blackberry - https://m.google.com/authenticator 


In the Google Authenticator application, click the Begin Setup button and select the Scan barcode option. 


Google Authenticator Begin Setup.PNG



Scan the QR code that is displayed in the User Portal. 


OTP Verification OTP.PNG


 Type the 6-digit code that is displayed on the Google Authenticator into the field under the QR code.



 OATH Verification.png



Now click the Verify button.


While logged in as the user that is a member of the role assigned to the application or other object that requires MFA, do the action that requires MFA.


In this demonstation, I will launch the Salesforce application from the User Portal since this application it is set to require MFA in my environment.


 Launch Salesforce.png


Type the current Verification Code displayed on the Authenticator mobile application into the Enter Verification Code field.

 OATH OTP Authentication.png


 After you click the Next button, the action requiring MFA will continue. In this demonstration, my end user is logged into Salesforce.

Salesforce Login.png


 This process can also OATH tokens can be used with any OATH token. Also, tokens can be uploaded in bulk via template in Admin Portal Settings > Authentication > OATH Tokens.



Bulk Token Import.png


An OATH token can also be deleted from this page if the device it is on has been lost or compromised.

Delete OATH Tokens.png






Showing results for 
Search instead for 
Do you mean 

Community Control Panel