How Okta Mobile works with MFA and Session Expiration settings
Learn how Multifactor Authentication (MFA) and session expiration settings interact with end-user MFA options on Android and iOS devices.
Options that you configure in the Okta Admin console interact with mobile device-user settings and the state of the Okta Mobile app. This interaction determines when Okta Mobile users are challenged for MFA or prompted to use a PIN, fingerprint, or Face ID to unlock Okta Mobile.
Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.Okta Mobile on iOS devices
Admin sets the Sign On Policy Rule: Prompt for Factor | User selects the option "Do not challenge me on this device" | User DOESN'T select the option "Do not challenge me on this device" |
---|---|---|
Per Device |
|
|
Every Time |
| |
Per Session |
|
|
Options in the Okta Admin Console | Okta Mobile State | |
---|---|---|
Okta Mobile is in the foreground and idle For example, 11 minutes | Okta Mobile is in the background or locked For example, 11 minutes | |
Session expires after For example, 10 minutes: tab |
| The user session expired or the PIN timed out and Okta Mobile is locked. Okta prompts the user for a PIN or fingerprint when they try to unlock Okta Mobile. |
Ask for PIN when user is inactive for For example, 10 minutes: |
|
Okta Mobile on Android devices
Admin sets the Sign On Policy Rule: Prompt for Factor | User selects the option "Do not challenge me on this device" | User DOESN'T select the option "Do not challenge me on this device" |
---|---|---|
Per Device |
| Okta prompts users for MFA whenever they launch or unlock Okta Mobile. |
Every Time |
| |
Per Session |
| Okta prompts users for MFA whenever they launch or unlock Okta Mobile. The Factor Lifetime setting has no effect. |
Options in the Okta Admin Console | Okta Mobile State | |
---|---|---|
Okta Mobile is in the foreground and idle For example, 11 minutes | Okta Mobile is in the background or locked For example, 11 minutes | |
Session expires after For example, 10 minutes: tab |
|
|
Ask for PIN when user is inactive for For example, 10 minutes: |
|