- Get the content of the QR for Okta Verify app setup. It looks like this:
oktaverify://email@domain.com/?t=XXXXX&f=YYYYY&s=https://DOMAIN.okta.com&issuer=DOMAIN.okta.com&isIdxEnabled=true - Replace
XXXXX,YYYYY,kid,nandDOMAINto your values in curl below:
curl --request POST \
--url https://DOMAIN.okta.com/idp/authenticators \
--header 'Accept: application/json; charset=UTF-8' \
--header 'Accept-Encoding: gzip, deflate' \
--header 'Authorization: OTDT XXXXX' \
--header 'Content-Type: application/json; charset=UTF-8' \
--header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \
--data '{
"authenticatorId": "YYYYY",
"device": {
"clientInstanceBundleId": "com.okta.android.auth",
"clientInstanceDeviceSdkVersion": "DeviceSDK 0.19.0",
"clientInstanceVersion": "6.8.1",
"clientInstanceKey": {
"alg": "RS256",
"e": "AQAB\n",
"okta:isFipsCompliant": false,
"okta:kpr": "SOFTWARE",
"kty": "RSA",
"use": "sig",
"kid": "GET FROM https://<customer>.okta.com/oauth2/v1/keys",
"n": "GET FROM https://<customer>.okta.com/oauth2/v1/keys"
},
"deviceAttestation": {},
"displayName": "1Password",
"fullDiskEncryption": false,
"isHardwareProtectionEnabled": false,
"manufacturer": "unknown",
"model": "Google",
"osVersion": "25",
"platform": "ANDROID",
"rootPrivileges": true,
"screenLock": false,
"secureHardwarePresent": false
},
"key": "okta_verify",
"methods": [
{
"isFipsCompliant": false,
"supportUserVerification": false,
"type": "totp"
}
]
}'- Send this request and get
sharedSecretvalue from the response. This is your TOTP secret key. Paste it to the corresponding app (e.g. 1Password) and enjoy!
Notes:
- This request creates a new device named "1Password" in https://DOMAIN.okta.com/enduser/settings in "Security Methods" block
- If it returns invalid session error, probably your QR's content is expired