Users are unable to authenticate with Okta FastPass (Okta Verify for Windows). When the user tries to authenticate, they receive an error in the Windows Event Logs:
Call to https://<domain>/api/v1/authenticators failed with Unauthorized. Request Id:
and,
AccountStateManaqer.InvokeTaskWithTracking: API error code InvalidToken detected on account <X>
- If the end-user hits "Sign in with Okta Fastpass", System Logs are not displayed, so retrieve the end-user's Windows Okta Verify Debug Log and find a log like the one below:
- If the end-user enters the user login and hits the next button(or silent probing occurs), the System logs will be displayed.
Reviewing the Okta Syslogs, the following error will be seen:
Authentication of user via MFA FAILURE: INVALID_CREDENTIALS
Expanded view:
- Okta Verify for Windows (WOV)
- Okta FastPass
- Time sync issue
This is caused by a time sync issue, specifically when the workstation's time significantly differs from the Okta servers. (For example, if the workstation is two minutes ahead of the server time.)
Using Windows Okta Verify log that starts like below, can decode the JWT token and confirm the time is different:
StartupHandler.InitializeContainer: Initializing primary instance with Arguments "--URI com-okta-authenticator:/deviceChallenge?challengeRequest= ~~If the JWT value is decoded, an "iat" property will be seen, which indicates when the JWT was issued (using the end user's OS time). Use it to verify how much time the end user device is off.
- Ensure that the workstation time is correctly synced. It is recommended to use an ntp service.
- Please ensure the end user's device has the clock set to automatic sync.
Related References
