This article explains why a user is not prompted for Multi-Factor Authentication (MFA) after being signed out of the Admin Console due to inactivity. When a user is signed out, Okta prompts them with the option to sign in based on the configured session lifetime for the Admin Console application. One might expect that, since the user was signed out, Okta would challenge the user for MFA when clicking the Sign in button. This article aims to explain why Okta is not prompting for MFA.

• Admin Console
• Admin Session

The issue occurs when the Admin Console Sign-on Policy is configured to prompt for authentication Once per session. Because the Okta user session remains active after the user is signed out of the Admin Console, Okta simply signs the administrator back into the console. This occurs according to the Admin Console's authentication policy, which does not require a new MFA prompt.

This behavior can be adjusted by changing the Authentication Policy for the Admin Console to Every sign on so that Okta would prompt for MFA every time the admin signs into the Admin Console, regardless of the Okta user session still being active.