- Sign-on policy
- Global session policy
Okta’s policy engine is extraordinarily powerful, allowing admins to configure everything from session times and factor lifetimes through to authenticator requirements (factors) and assessments of user, network, and device context.
Okta periodically reviews customer use of Okta Sign-on Policies and observes combinations of rules with the potential for conflicting policy outcomes: that is, policies that appear to contradict what the admin was attempting to achieve.
Listed below are a few of the common challenges we have observed:
Okta Sign-on Policy with Behavior Conditions and mode = “Per Device”
This Policy Rule evaluates Behavior Conditions and is configured to prompt for a factor on a “Per Device” basis. This option has been renamed to “When signing in with a new device cookie”.
When configured this way, the Policy Rule results in a user only being prompted for Multi-Factor Authentication the first time they sign on from any given device. The user won’t be presented with an MFA challenge on future occasions when they sign on from that device unless the cookie is cleared in the browser.
Recommendation: Consider updating the configuration to select At every sign-in under the Users will be prompted for the MFA option to maximize security posture.
Okta Sign-on Policy with Risk Condition (MEDIUM or HIGH) and mode = “Per Device”
This Policy Rule evaluates Risk Conditions and is configured to prompt for a factor on a “Per Device” basis. (This option has been renamed to “When signing in with a new device cookie”)
When configured this way, the Policy Rule results in a user only being prompted for Multi-Factor Authentication the first time they sign on from any given device. The user won’t be presented with an MFA challenge on future occasions when they sign-on from that device.
In this instance, it’s possible that the admin intended to use the Policy Rule that evaluates Risk Conditions to act on anomalous or risky sign-on behavior. However, the current configuration results in more relaxed MFA requirements.
Recommendation: Consider updating the configuration to select At every sign-in under the Users will be prompted for the MFA option in order to maximize the security posture.
Okta Sign-on Policy with mode = “Per Session”, a short factorLifetime and a long session expiry
This Policy Rule will prompt a user to complete an MFA challenge once within the duration of the session. They will not necessarily be asked to re-authenticate when the “MFA/Factor Lifetime” expires.
This is because a “MFA/Factor Lifetime” is only enforced when the user creates a new session. The MFA/Factor Lifetime setting determines whether a user is challenged for Multi-Factor Authentication when they attempt to sign in after the MFA/Factor Lifetime period has expired. It is typically used to relax the requirement for MFA in those scenarios in which a user has signed out but attempts to sign in again within the specified lifetime of the MFA/Factor.
For example, if the MFA/Factor Lifetime period is set to 30 days and the session lifetime is set to 12 hours, the user will be signed out after 12 hours but will not be forced to MFA upon the next login until the MFA factor expires in 30 days.
Recommendation: If the admin intends to present the user with MFA more frequently, we recommend one of the following:
-
Setting a shorter session expiry and selecting At every sign-in under the Users will prompt for the MFA option. This will ensure that Okta sessions expire and the user is prompted for MFA when attempting to sign in again, AND/OR.
-
Using App Sign-on Policies (Okta Classic) or Authentication Policies (Okta Identity Engine) to require an additional MFA challenge whenever a user attempts to access a specific application.
Related References
- For Okta Classic:
- For Okta Identity Engine:
