Multi-factor authentication is an important tool in your security arsenal. If your password is compromised, your account can still be protected by using high quality second factors, such as Authy, Google Authenticator, or Okta Verify. In this tutorial, I’ll show you how to authenticate, enroll in multi-factor authentication with Okta Verify, and process push notifications – all from the command line using a bash shell script.
Why would you ever want to do this? A) Because you can, and B) see A. Additionally, this approach has utility to DevOps teams who are interested in automation scripts as well as developers who want to get a better understanding of the API. The code for this post can be found on our Okta Developer GitHub.
Note: At this time, the instructions below are organized around the Apple Mac platform. However, it is a simple Bash shell script with few dependencies. It should run on any *nix platform style platform. It should also run on Windows with the Linux Subsystem, which includes bash.
Download the Okta Verify app from the Apple App Store or Google Play onto your primary mobile device. Using your computer’s browser, navigate to your organization’s Okta page, e.g. Fill in your company-issued credentials and click Sign In. Download Okta Verify and enjoy it on your iPhone, iPad, iPod touch, Mac OS X 10.15 or later or Apple Watch. Okta Verify is a lightweight app that is used to register your device to Okta. Registering your device to Okta gives you passwordless authentication to apps, strong device-level security, and more.
Search for Okta, click Get, click Install. When the plugin is installed, return to Okta and make sure the Okta plugin is active. Under Safari, go to Preferences. Be sure put a check next to Okta Extension App. Refresh the Okta page and you should be all set! If the plugin is needed in Chrome, you will see a. Okta Verify is a mobile app that verifies your identity in one of two ways. Okta can send you a push notification that you approve using Okta Verify. Alternatively, Okta Verify can generate a six-digit code that you enter into your Okta login screen to access your required app.
Okta Verify is just a part of the suite of tools Okta provides, and it’s the focus of this tutorial. Okta makes it super-simple to add all kinds of secure user management features, including MFA, to any application. Okta is a cloud service that allows developers to create, edit, and securely store user accounts and user account data, and connect them with one or multiple applications. Our API enables you to:
Ready to dig in? Register for a forever-free developer account and come on back so we can get into using MFA.
In order to enroll in and enforce MFA with Okta Verify, you need to configure your newly minted org. Log in to your Okta Org and switch to the Classic UI by clicking on the Developer Console dropdown at the top left of the screen.
Next, choose Security > Multifactor from the menu.
Before you can configure MFA enrollment for your Okta org, you need to choose which factors you will support. For the purposes of this post, we are going to enable Okta Verify only. On the Factors tab, click Edit. Enable the Okta Verify and Enable Push Notification checkboxes and click Save.
Click on the Factor Enrollment tab, click Edit to change the default policy and change Optional to Required. Click Update to save the default policy.
Click Add Rule, give it a name, and choose the first time the user signs in from the dropdown. Click Create Rule.
You now have configured MFA enrollment so that the next time any user logs in, they must enroll in Okta Verify. This is only one piece of the puzzle, though. Next, you’ll configure an enforcement policy so that each time a user logs in, they get a push notification for a second factor.
MFA Enforcement ensures that, under the conditions you specify, a user will have to deal with a second factor after authentication.
Choose Security > Authentication from the menu bar and click the Sign On tab.
Click Add Rule. Give the rule a name and check the Prompt for Factor checkbox. Choose Every Time. This makes it so that every time a user logs in, they must acknowledge the push notification in Okta Verify.
At this point, you’ve completed all of the Okta configuration. Let’s jump into your local configuration so that you can use multi-factor authentication from the command line.
The configuration for your local system is very straightforward. The Bash shell is a core requirement.
Beyond that, two other utilities are required. Curl is used to make API calls to Okta. Curl is built into Macs and most *nix platforms. On Windows, you’ll need to install the Linux Subsystem, which includes bash and curl.
The other requirement is jq. This is a lightweight command line JSON parser. All the responses from the Okta API are JSON, and so this utility makes it easy to parse these responses.
On Mac, run:
Note: This presumes that you’ve installed Homebrew on Mac.
On Windows, run:
Note: This presumes that you’ve install Chocolatey on Windows.
There are instructions to install jq on other platforms on jq’s GitHub download page.
You’ll also need to install the free Okta Verify mobile app.
It’s on the Google Play Store for Android and the Apple App Store for iOS.
Now that Okta is set up and local dependencies are installed, let’s use multi-factor authentication from the command line!
The okta_authn_mfa.sh
shell script has two required parameters: a username and an Okta org subdomain. You can see this by running the script from the command line without any parameters:
For my Okta domain, I run the command like so:
Notice that the script waits for me to enter my password. You won’t see the characters you type (or paste) when entering the password.
You’ll see output like this:
First, the script sends your username and password to Okta’s primary authentication endpoint:
It then uses jq
to extract the status from the response:
The first status you’ll get back is: MFA_ENROLL
. The script responds to that status by sending an enroll request using additional values pulled out of the response using jq
:
Enrolling in and enforcing MFA requires multiple steps. Okta tracks your progress and current state using a stateToken
. For each subsequent api call involved in the multi-factor flow, the script will reuse the stateToken
.
You should see a QR code printed out right in the terminal window:
Note: You may need to shrink the font size in your terminal to display the entire QR code at once.
Launch the Okta Verify app on your mobile device. Click Add Account to scan the QR code shown on your terminal window. Here’s a little video of this in action.
When you’ve completed enrollment, you should see something like this in the Okta Verify app:
Back in the shell script, hit enter once you see the “Successfully enrolled in push authentication” message in Okta Verify.
Note: It’s important that you hit enter only after seeing the green status message in Okta Verify. This is because the shell script makes an API call to Okta to confirm that you have successfully enrolled in Okta Verify. If you hit enter before enrollment is complete, this API call will fail.
You should see output like this:
Behind the scenes, the script is calling another Okta API call to confirm that the enrollment was successful:
The status
from the response should be SUCCESS
at this point.
Upon successful multi-factor enrollment, Okta returns a sessionToken
. Typically, this will be exchanged for a sessionId
that middleware such as a .NET or Spring Boot app could use to remote control the Okta session on your behalf. Or, it can be set as a session cookie in your browser when interacting with Okta directly. For the purposes of our bash shell script, it’s merely displayed.
One element of this process that is cheating a little is showing the QR Code in the terminal window. In order to accomplish this, I created a little API “shim” service that takes a URL to a QR code, parses the image and sends back the text representation of it that you see in your terminal window.
The code for this service can be found on the qrcode-term GitHub repository. It uses some great node.js libraries, including jimp to read the QR code image, qrcode-reader to parse the QR code image, and qrcode-terminal to send back an ascii version of the QR code. It’s not Okta-specific. It simply takes a publicly available URL for a QR code and returns the terminal version of it.
Behind the scenes, once the QR code is accessed, Okta will not show it again. This is a built-in security feature. So, if something goes wrong in showing the QR code in the terminal, you’ll need to re-run the bash shell script.
The script executes this API call to parse the QR code and send the result to the terminal:
Now that you’ve enrolled in MFA, you can see what it looks like to respond to the MFA challenge. Run the script as before. You’ll see output like this:
On your mobile device, you should get a push notification:
The polling for push approve...
message will continue to repeat in your terminal (every 10 seconds for up to a minute) until you touch the green Approve
button in the push notification.
Then, you’ll see the operation complete in your terminal window:
Now, you’ve experienced multi-factor enforcement from the command line.
The script executes this code to poll (wait) for you to touch the Approve button:
Until you touch the Approve button, the response status will be MFA_CHALLENGE
. Once you have touched the Approve button, the response status is SUCCESS
and the loop exits.
~/
(~/
is usually the file system path for your home folder on *nix systems, including Mac. See what I did there?)
If you’re anything like me, you like to get “close to the metal” when working with a new API to understand how everything works and hangs together. Later, I’ll use more efficient and effective tools, like the Okta Java SDK to streamline development.
In this post, we took a little stroll through the Okta Primary Authentication API and did some gymnastic feats not commonly seen in a shell script by enrolling in and responding to multi-factor authentication using Okta Verify.
I hope you’ve enjoyed this tour of the the multi-factor API for Okta Verify. There’s a lot more to see and if you’re interested in more multi-factor resources, check out these links:
If you have any questions, please leave a comment below, or hit us up on Twitter @oktadev.