The settings in this section apply to general security policies for your organization and specific security policies for mobile users. The following settings are available in this section:
To access these settings in the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, navigate to Security > General.
Navigate to Security > General > Security Notification Emails to configure the following:
New sign-on notification email
End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. receive an email notification if they sign in from a new or unrecognized clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. . This email contains user sign-on details such as the web browser and operating system used to sign in, in addition to the time and location of authentication. Refer to Limitations for more information about the limitations for identifying new clients.
Note: This feature is enabled by default for new orgs.
MFA enrolled notification email
|End users are sent a confirmation email if they or an admin enroll in a new factor for their account. For more information about email notifications and template customization, refer to Email and SMS Options.|
MFA reset notification email
End users are sent an email if they or an admin reset a factor for their account. For more information about email notifications and template customization, refer to Email and SMS Options.
New sign-on notification emails complement other security features such as multifactor authentication and should not act as a replacement. In most scenarios, clients are easily and accurately identified but there are some limitations.
Notification emails for new device sign-on are triggered when a new client is identified based on an end user's browser cookies or fingerprint.
A client can be considered new in one or more of the following scenarios:
- New browser type or version
- New OS type or version
- New or updated application
- Unrecognized browser or OS (appears as Unknown in the notification email)
If the authentication is not recognized, end users should contact their admin immediately to investigate their account activity. The admin can perform actions such as terminating a user's sessions, lock the user's account, and add multifactor authentication to improve security.
There are some limitations that present a challenge for identification. Enabling email notifications in addition to other identifiers such as a new IP address or new location provides improved accuracy when identifying suspicious activity on an end user's account.
The current limitations for identifying new clients are as follows:
- Device fingerprints are not captured over non-authentication and widget flows.
- New device notifications are generated occasionally when a device fingerprint is generated based on a change in the OS or browser.
- The device fingerprint is based on the browser in use. The end user will receive a new device notification email if they sign in with a new browser.
- For mobile logins, new device notification emails are sent based on the detection of a new mobile application and not the device used to log in.
- New device detection cannot always be fully guaranteed.
- End users may receive an unexpected new or unknown device notification email if they have not signed in to their accounts within 40 days.
For more information about end user notifications, refer to Email and SMS Options.
Navigate to Security > General > Organization to configure the following:
"Remember Me" checkbox on sign in
|This setting displays or hides the Remember Me checkbox for end users on the login screen. If an end user checks this feature and signs in, their username is remembered and displayed at sign-on until their browser cookies are cleared.|
Activation emails are valid for
Sets the link expiry in the account activation email sent to end users. For more information about email notifications, refer to Email and SMS Options.
Navigate to Security > General > Okta Mobile to configure the following:
ThreatInsight aggregates data across the Okta customer base and uses this data to detect malicious IP addresses that attempt credential-based attacks.
Refer to Okta ThreatInsight for more details about this feature.