MichaelM.97914 (Dexcom) asked a question.
A POC I am doing for a "passwordless" new-hire Activation onboarding Workflow includes having to do per the below article/blog posting (there is no other way to bring the User to a Set a New Password dialog- have tried for several months)
(Basically one must use an Activate User card followed by a Reset Password card- if one is in AD Delegated Authentication mode like we are)
That Activation Link/Reset PW URL works- but only lives for 1 hour.
We have Users globally who get our custom Activate Your Account email but might not get to act on it until the next day.
There is an Okta article on using the Okta API to simply set that token to last a longer time, in whole-hourly minute values like 120 mins 180 min, 540 mins etc (max is 300000)
What caveats does anyone have to doing this? I am thinking setting it to a 24 or 48 hour lifetime would be safe.
Hello @MichaelM.97914 (Dexcom) , thank you for contacting Okta Community.
What you are trying to achieve would weaken the company's security. We do not recommend increasing the lifespan of this token. In the Okta Identity Engine (OIE) tenants, the lifespan of the password reset link is hardcoded to 1 hour, and it cannot be modified from the Okta admin dashboard. We have documented an example using API if you want to try:
How to Modify the Reset Password Link Lifespan
A more secure option would be to schedule an event. This way, the user would receive their token at a certain time (for example, 8 am their local time on a Monday), but the token would still expire after one hour has passed. The Workflows Console uses UTC (or GMT). If you have an attribute in the Okta user profile with an ISO8601 date/time that can be converted to UTC (or stored as UTC), this is achievable with Okta Workflows. You can read more about it here:
How to Use the Scheduled Flow Event Card Okta Workflows
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Just released: More Okta Community badges just added
What are the ramifications tho, of editing the lifespan to 8 hrs vs the 1? If someone were to say, its a security posture issue, I would think emailing the Activation link is also one, no?
There is another posting in Community several years ago, regarding using Magic Link for similar passwordless activation/onboarding, but the Answer says it was in beta but never got out of beta/never became EA. (The idea here is to eliminate use or transmission or sharing of Temp Passwords)
Hello @MichaelM.97914 (Dexcom) , in general, the longer a token is valid, the greater its potential liability. For more specific assistance tailored to your org's configuration, I recommend that you open a Support ticket (Customer Support Account ID number required) so one of our engineers can analyze it and advise you. You could also provide more details in a ticket that shouldn’t be given here, as this is a public space.
Please note that opening a support ticket is a feature available only to paid accounts. If you do not have a paid account, but are interested in upgrading, you can contact our Sales team.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Just released: More Okta Community badges just added
I would do something like expire password to generate a temp password instead. the password doesnt expire so that could be an issue depending on security policy