In this article, we review a situation that can occur in Okta Identity Engine, where an application will not prompt a user for MFA as expected when launching an application from the Dashboard, and the Applications Authentication Policy is configured with "User must authenticate with" and "Password + Another Factor" or "Any 2 Factor Types".
- Okta Identity Engine (OIE)
- Global Session Policy
- Authentication Policy
- Multi-Factor Authentication (MFA) Settings
This issue may present when these options are set:
- Password re-authentication frequency is & Re-authentication frequency for all other factors is: These two options appear only when Password + Another Factor is selected. They allow to specify a different re-authentication interval for the password and the other factors. For example, it might be configured to require users to re-authenticate with their password if it has been more than eight hours since they last authenticated and with a possession factor every time they access the app.
- Never re-authenticate if the session is active: Once users authenticate from their device, they aren’t prompted to authenticate again until either the maximum session lifetime is reached or they sign out of Okta.
If these options are set, while the Global Session Policy is set to require MFA, and the User has logged into their Dashboard to Launch the application, the Okta Session for the Dashboard will have satisfied the MFA requirement that the Authentication Policy is Set to "Never re-authenticate". Thus, the user would not be expected to have to complete another MFA challenge when accessing the app.
If the desired behavior is that access to the app should require MFA:
- Navigate to Okta Admin Console > Security > Authentication Policies.
- Select the authentication policy designed for the app that should require MFA and click on it.
- Next, click on the Edit button.
- Set the Re-authentication frequency for all other factors is: to Every Sign on or Re-authenticate after: to configure a time.
- Click Save.
Related References
