How Okta Mobile works with MFA and Session Expiration settings

Learn how Multifactor Authentication (MFA) and session expiration settings interact with end-user MFA options on Android and iOS devices.

Options that you configure in the Okta Admin console interact with mobile device-user settings and the state of the Okta Mobile app. This interaction determines when Okta Mobile users are challenged for MFA or prompted to use a PIN, fingerprint, or Face ID to unlock Okta Mobile.

Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.

Okta Mobile on iOS devices

Admin sets the Sign On Policy Rule: 
Prompt for Factor
User selects the option "Do not challenge me on this device" User DOESN'T select the option "Do not challenge me on this device"

Per Device

  • Okta prompts users for MFA when they launch Okta Mobile for the first time.
  • No MFA prompt in subsequent sessions.
Expected behavior: Okta prompts users for MFA whenever they launch or unlock Okta Mobile.
Known issue: Okta prompts users for MFA only when users are launching Okta Mobile and first time users unlock Okta Mobile after an expired session.

Every Time

  • The Do not challenge me on this device option is not available in Okta Mobile.
  • Okta prompts for MFA whenever users launch or unlock Okta Mobile.

Per Session

  • Okta doesn't prompt users for MFA when they launch or unlock Okta Mobile during the time period you specified in the Factor Lifetime setting.
  • Users see but can't change the Factor Lifetime value.
Expected behavior: Okta prompts users for MFA whenever they launch or unlock Okta Mobile. The Factor Lifetime setting has no effect.
Known issues:
  • If users close Okta Mobile and re-launch it before the specified Factor Lifetime, they are NOT prompted for MFA, although they should be.
  • If users close Okta Mobile and re-launch it after the specified Factor Lifetime, they are prompted for MFA as expected. However, the Do not challenge me on this device option is selected although the users didn't choose it.

Options in the Okta Admin Console

 

Okta Mobile State
Okta Mobile is in the foreground and idle
For example, 11 minutes
Okta Mobile is in the background or locked
For example, 11 minutes

Session expires after
For example, 10 minutes
Security > Authentication > Sign On tab

  • The user session remains active.
  • Okta Mobile isn't locked.
The user session expired or the PIN timed out and Okta Mobile is locked. Okta prompts the user for a PIN or fingerprint when they try to unlock Okta Mobile.

Ask for PIN when user is inactive for
For example, 10 minutes
Security > General > Okta Mobile

Expected behavior: Okta Mobile is locked and Okta prompts the user for a PIN or fingerprint, when they try to unlock the app.
Known issue: The user inactivity setting is not applied. Okta Mobile remains active and the user can continue to use the app without entering a PIN.

 

Okta Mobile on Android devices

Admin sets the Sign On Policy Rule: 
Prompt for Factor
User selects the option "Do not challenge me on this device" User DOESN'T select the option "Do not challenge me on this device"

Per Device

  • Okta prompts users for MFA when they launch Okta Mobile for the first time.
  • No MFA prompt in subsequent sessions.
Okta prompts users for MFA whenever they launch or unlock Okta Mobile.

Every Time

  • The Do not challenge me on this device option is not available in Okta Mobile.
  • Okta prompts for MFA whenever users launch or unlock Okta Mobile.

Per Session

  • Okta doesn't prompt users for MFA when they launch or unlock Okta Mobile during the time period you specified in the Factor Lifetime setting.
  • Users see but can't change the Factor Lifetime value.
Okta prompts users for MFA whenever they launch or unlock Okta Mobile. The Factor Lifetime setting has no effect.

 


Options in the Okta Admin Console

 

Okta Mobile State
Okta Mobile is in the foreground and idle
For example, 11 minutes
Okta Mobile is in the background or locked
For example, 11 minutes

Session expires after
For example, 10 minutes
Security > Authentication > Sign On tab

  • The user session remains active.
  • Okta Mobile isn't locked.
Expected behavior: The user session expired or the PIN timed out and Okta Mobile is locked. Okta prompts the user for a PIN or fingerprint when they try to unlock Okta Mobile.
Known issue: The session expiration setting is not applied. Okta Mobile remains active and the user can continue to use the app without entering a PIN.

Ask for PIN when user is inactive for
For example, 10 minutes
Security > General > Okta Mobile

Expected behavior: Okta Mobile is locked and Okta prompts the user for a PIN or fingerprint, when they try to unlock the app.
Known issue: The user inactivity setting is not applied. Okta Mobile remains active and the user can continue to use the app without entering a PIN.

 

Related Topics   

Multifactor Authentication

Devices

Configure Okta Mobility Management (OMM) policies