<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00008W2NP4SANOkta Classic EngineAdministrationAnswered2020-05-15T03:46:29.000Z2020-05-14T19:03:47.000Z2020-05-15T03:46:29.000Z

TriH.41133 (Customer) asked a question.

May 14, 2020 at 7:03 PM
Okta MFA Policy

We have a MFA rule that will invoke the MFA if the user is accessing Okta while off the network. Currently it is set to invoke MFA every time and the session expiration is defaulted to 2 hours.

 

Some users complain the MFA prompts are too aggressive and I am thinking about changing it to find a good balance for the end-user and IT security.

 

Here are my questions

  1. If I change the MFA policy to prompt for MFA "Per Device with the Session expires after 24 hours" will the user receive a MFA prompt the next day (after 24 hrs) on that same device?
  2. If I have the session to expire after 24 hours does that apply to Okta SP applications or does that session expiration apply only to the Okta web page?

 

I have opened a ticket with Okta support but they are still confirming. I hoping someone can shed some light or provide Okta documentation on the policy settings. Thank you.

  • 1 answer
  • 1.04K views

  • TriH.41133 (Customer)

    I found this from the Okta Support page which seems to be working as designed!

     

     

    • Do Not Challenge Me On This Device Again. I want to confirm if that selection is indefinite or after a the 24 hrs. session?
      • Based on this link, https://support.okta.com/help/s/end-user-mfa-faqs If they have set that window to every eight hours or 24 hours, you’ll see MFA prompts again after that window, even if you’ve checked the Do not challenge me on this device again box. (Cookie based).

     

    • The (OKTA) session lifetime is not affected by activity within an application
      • When you’re logged out of your Okta session, Okta doesn’t automatically log you out of your applications. Your apps have their own session lifetime which they determine, or you can manually log out of them when you’re finished. https://support.okta.com/help/s/end-user-faqs
      • So if we set the session expiration to be 24 hours, the user would not need to authenticate back into the Okta page until the end of the 24 hours window. However, if the user clears their cookie cache the timer would reset.

     

    Expand Post
This question is closed.
Loading
Okta MFA Policy