PrateekS.94952 (Customer) asked a question.
MFA Code Expiration and sessionToken Expiration
Query 1
MFA Code expiring even after setting it to 30 minutes (Pls see screenshot for reference), it is expiring in 5 minutes.
Query 2
How to extend sessionToken lifetime, it is getting expired even after updated to 30 minutes in SignOn Policy rule. If the user is idle for more than 5 minutes on the MFA Verification page then we get session expiration message. We want to increase lifetime upto 5 hours.
Query 3
How to redirect to the custom login page if the Session has expired. In this case we want user to see our portal’s login page.
Hello Prateek,
- Query number 1.
The best practice is to set the OTP lifetime to 10 min or less, as per the below document,
https://help.okta.com/en/prod/Content/Topics/Security/mfa/email.htm
If you set the OTP lifetime to 10 minutes then you need to make sure that the browser will keep the session active, otherwise as soon as you try to enter the original code the browser may get refreshed, sending a new code and invaliding the original code.
- Query number 2.
Factor Lifetime and Session Lifetime work based on the browser cookies and cache. The browser should be configured to allow cookies and cache for the Okta tenant URL. Regarding Factor lifetime the user has to mark the option saying "Do not prompt on this device ..." otherwise even if cookies and cache are allowed on the browser then factor lifetime won't take action.
- Query number 3.
If you get the message indicating that "Your session expired" it means that it's been some time without activity on the browser therefore its session is just timeout, so can you refresh the page in order to enter the credentials again.