The settings in this section apply to general security policies for your organization and specific security policies for mobile users.
Accessing General Settings
Click Security > General to access General Security settings.
Click Edit to modify the following settings:
New or unknown device notification emails
When this feature is enabled, an end user will receive an email notification if they sign in from a new clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. . This email contains details pertaining to the user login such as the web browser and operating system used to sign in, in addition to the time and location of authentication.
A client is identified by a browser cookie or fingerprint when the cookie is not available. A client can be considered new in one or more of the following scenarios:
- New browser type or version
- New OS type or version
- New or updated application
- Unrecognized browser or OS (appears as Unknown in the notification email)
If the authentication is not recognized, it is recommended that end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. contact their adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. immediately to investigate their account activity. The admin can perform actions such as terminating a user's sessions, lock the user's account, and add multifactor authentication to improve security.
Limitations of this Feature
This feature complements other security features such as multifactor authentication and should not act as a replacement. In most scenarios, clients are easily and accurately identified. However, there are some limitations that present a challenge for identification. As a result, it is recommended to use this feature in addition to other identifiers such as a new IP address or new location for improved accuracy when identifying suspicious activity on an end user's account.
The current limitations for identifying new clients are as follows:
- Device fingerprints are not captured over non-authentication and widget flows.
- New device notifications are generated occasionally when a device fingerprint is generated based on a change in the OS or browser.
- The device fingerprint is based on the browser in use. The end user will receive a new device notification email if they sign in with a new browser.
- For mobile logins, new device notification emails are sent based on the detection of a new mobile application and not the device used to log in.
- New device detection cannot always be fully guaranteed.
Accessing and Enabling this Feature
- From the admin dashboard, navigate to Security > General.
- Next to Unknown device notification email, select Enabled or Not Enabled to set this feature for end users.
Refer to Email and SMS Options for more information about user notifications.
"Remember Me" checkbox on sign in
Enabling this setting will display the Remember Me checkbox for users on the login screen.
Activation emails are valid for
Determines the time period for which an account activation email is valid for a user.
Click Edit to modify the following settings:
- Ask for PIN when user is inactive for
Prompts the user for a PIN based on the time interval selected.
- PIN expires after
Determines the length of time that elapses before a PIN expires. Select Never expires to disable this option.
- Sign on to SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. apps
An iOS specific setting that gives permission to the Safari appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. extension for SAML App sign on.