We often get questions from customers on how the "Remember Device" button works with Okta multi-factor authentication (MFA).
Administrators have the option of setting MFA policies so users are only prompted for a second factor once per session
or once per device
The Remember device
checkbox is used by Okta to create a cookie so a user is not prompted again during that session or from that device.
However, if the session lifetime is too short, or the factor lifetime is too short, users may think the button is not working as designed. Additionally, for security reasons this check box is not selected by default. As a result, behavior can appear to be inconsistent if users login after a session has expired, forget to check the box again, and try to login again during the same session.
We apologize for any confusion or frustration, and are actively working to improve the end user experience. Soon, admins will be able to leverag the new Okta Sign-on Policy
to set better defaults for users to make MFA more intuitive, as well as give more control to users leveraging Integrated Windows Authentication
(IWA). Additionally, users will be able to manage their known devices, and will be able to "forget" a device should it be lost or stolen.
In addition to the improvements already planned, as part of Okta Adaptive MFA, Okta will "learn" what are the normal devices and networks users authenticate from, and allow IT to set a policy to only prompt users from unknown devices or locations.
To learn more about Okta Adaptive MFA, please visit the product page on our website
or contact your Okta account executive.