This article explains why an authentication prompt does not appear when an end user launches an application immediately after an initial sign-in. This behavior occurs even when the authentication policy mandates a challenge every time the user signs in to the resource.
- Okta Dashboard
- Authentication policies
- Two-Factor Authentication (2FA)
- Multi-Factor Authentication (MFA)
- Okta Identity Engine (OIE)
A ten-second grace period applies after a user authenticates. During this grace period, users are not prompted to authenticate again, even if the Every time the user signs in to the resource option is selected in the policy. For example, if an end user authenticates into the Okta Dashboard, provides Two-Factor Authentication (2FA), such as a password and an Okta Verify push, and then launches another application tile within 10 seconds, the prompt is bypassed to avoid repetitive prompts.
To bypass the grace period and ensure users are challenged for Multi-Factor Authentication (MFA) every time, regardless of how quickly the app is launched, implement an authentication method chain.
- Identify the authentication policy using the Every time user signs in to resource option.
- Implement an Authentication method chain in the authentication policy to apply stricter evaluation algorithms and bypass the 10-second grace period.
