This article explains the behavior of YubiKey re-authentication in an Okta environment. It clarifies why a user may be prompted for re-authentication more frequently than an administrator, even when accessing similar applications.
- YubiKey
- Authentication Policies
- Okta Identity Engine (OIE)
The difference in re-authentication frequency occurs because users and administrators may be subject to different authentication policies with varying re-authentication timers. An administrator's continuous use of various applications, each triggering a successful YubiKey authentication, can also repeatedly reset the primary Okta session timer, delaying the need for a re-authentication prompt.
The re-authentication behavior depends on how authentication policies are configured for the applications.
-
Shared Authentication Policy
If multiple applications share the same authentication policy, a successful YubiKey authentication for one application resets the re-authentication timer for all other applications under that same policy.
-
Different Authentication Policies
If applications have different authentication policies, their re-authentication requirements are managed independently. Authenticating into one application does not reset the re-authentication timer for another. A user will be prompted to re-authenticate for an application once its specific policy's timeout is reached.
