Maximum Value for the LoginPeriodWithOfflineFactor Parameter in macOS Desktop MFA Policies
Mar 11, 2026
Okta Device Access
Okta Identity Engine
Overview
This article clarifies the maximum value limit for the LoginPeriodWithOfflineFactor parameter within macOS Multi-Factor Authentication (MFA) policies.
Applies To
- Okta Identity Engine (OIE)
- Okta Device Access for macOS
- Multi-Factor Authentication (MFA)
Solution
Okta does not enforce a specific maximum value for the LoginPeriodWithOfflineFactor parameter. The theoretical limit is the maximum integer size supported by macOS.
Best Practice
Instead of aiming for a theoretical maximum, administrators should configure this value based on their organization's specific security policies and operational needs. The recommended approach is to set the value to a duration that covers the longest expected period a user might be offline.
Formula: (Maximum time between forced reboots) + (Maximum expected travel/offline time)
Example: If an organization enforces a reboot every 14 days (336 hours) and wants to allow an additional week (168 hours) for travel, set the value to 504 hours (21 days).
Key Parameter Details
| Attribute | Value |
| Name | LoginPeriodWithOfflineFactor |
| Type | Real (integer representing hours) |
| Default | 168 (hours, equivalent to 7 days) |
| Warning | Setting the value to 0 will prevent users from using any offline factors to sign in. |
