Change the authentication frequency

If the MFA lifetime is shorter than your session expiration length, users with active sessions don't authenticate when their MFA expires.

HealthInsight task recommendation

In your Okta sign-on policy or app sign-on policy, shorten the amount of time that a user can be idle. Require users to provide MFA every time they sign in.

Okta recommends

To increase the authentication frequency for all resources, configure these conditions in your Okta sign-on policy:

  • Set your session expiration to a shorter duration

  • Require MFA at every sign-in attempt

To increase the authentication frequency for specific apps, create an app sign-on policy with your desired session length and MFA lifetimes.

Security impact Moderate
End-user impact


Session times aligned with the MFA lifetime that you configure. Users authenticate more frequently.

Increase authentication frequency for all resources

  1. In the Admin Console, go to SecurityOkta Sign-on Policy.

  2. Select the policy that you want to edit.

  3. In the Rules table, locate the rule that you want to edit and make these updates:

    • Authentication: Required

    • Users will be prompted for MFA: At every sign-in attempt

    • Maximum Okta session lifetime: Set time limit in days, hours, or minutes

  4. Click Update Rule.

Increase authentication frequency for specific resources

  1. Configure an app sign-on policy.

  2. For Prompt for re-authentication frequency is, select Every sign-in attempt.

Related topics

Configure an Okta sign-on policy

Configure an app sign-on policy