This article presents troubleshooting steps to consider if custom OTP cards are configured for the org and the generated code is not working.

• Custom OTP
• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)

Please consider the following:

• The time skew cannot exceed 30 minutes, but it should not be too small.
  • This is generally the issue. Set the clock skew to the highest option and then test to see if this is the reason for the error.
• Users can ONLY be enrolled in one custom OTP at a time.
• Check the Secret Key used to enroll the users and make sure it is the correct one.
• Was the TOTP setup modified after the key was issued? 
  • If so, the users must be re-enrolled.
• Confirm that the encryption added to Okta is the same as the encryption of the keys.
• Was the user enrolled via API? Can the enrollment be seen on the user's account? 
• When enrolling users, make sure their factorID matches their assigned security token. If an incorrect factorID is used, an error occurs when the user attempts to authenticate.
• Verify that authentication is successful for a single user before enrolling multiple users.
• This feature only supports standard OTP tokens. Proprietary implementations or non-standard tokens are not supported.
• If using pre-programmed hardware keys, the token sheet provided by the manufacturer will be needed. This sheet should contain serial numbers and their associated secrets for each key to be used during the token enrollment process. If this sheet is not available, contact the vendor to obtain it in order to complete enrollment. 

Related References

• Custom TOTP factor (MFA)
• How to Enroll a Custom TOTP (Time-based One-Time Password) Factor