General Security

Configure various global org security settings such as user notification emails, security policies for Okta Mobile users, and ThreatInsight.

To access these settings in the Admin Console, navigate to Security > General.

Security Notification Emails

Configure notification emails for end users by going to Security > General > Security Notification Emails.

For more information about email notifications and template customization, see Customize an email template.

New sign-on notification email End users receive an email notification if they sign in from a new or unrecognized client. This email contains user sign-on details such as the web browser and operating system used to sign in, in addition to the time and location of authentication. See New sign-on notification emails for more information about the limitations for identifying new clients.

Note: This feature is disabled by default for new orgs.

For more information, see Sign-on notifications for end users.

MFA enrolled notification email End users are sent a confirmation email if they or an admin enroll in a new factor for their account.

Note: This feature is enabled by default for new orgs.

For more information, refer to Factor enrollment notifications for end users

MFA reset notification email End users are sent an email if they or an admin reset a factor for their account.

Note: This feature is enabled by default for new orgs.

For more information, refer to Factor reset notifications for end users.


Password changed notification email End users receive an email notification if they change or reset the password for their account. This email contains password reset details such as the time and location of the password reset.

Note:

  • If an admin sets a temporary password, the end user receives an email notification only after they have changed their password from the temporary password.
  • End user notifications for passwords reset using delegated authentication (DelAuth) is not supported.
  • An email notification is not sent to end users if the user is inactive.

For more information, refer to Password changed notification for end users.

Report suspicious activity via email Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification. See Suspicious Activity Reporting.

New sign-on notification emails

New sign-on notification emails complement other security features such as multifactor authentication and should not act as a replacement. In most scenarios, clients are easily and accurately identified but there are some limitations.

Notification emails for a new device sign-in are triggered when a new client is identified based on an end user's browser cookies or fingerprint.

A client can be considered new in one or more of the following scenarios:

  • New browser type or version
  • New operating system type or version
  • New or updated application
  • Unrecognized browser or operating system (appears as Unknown in the notification email)

If the authentication is not recognized, end users should contact their admin immediately to investigate their account activity. The admin can perform actions such as terminating a user's sessions, lock the user's account, and add multifactor authentication to improve security.

Limitations

There are some limitations that present a challenge for identification. Enabling email notifications in addition to other identifiers such as a new IP address or new location provides improved accuracy when identifying suspicious activity on an end user's account.

The current limitations for identifying new clients are as follows:

  • Device fingerprints are captured after a successful sign-in.
  • New device notifications may be generated when there is a change to the user's operating system or browser.
  • New device notifications are not generated for a sign in initiated by non-Okta Identity Providers.
  • The device fingerprint is based on the browser in use. The end user receives a new device notification email if they sign in with a new browser type.
  • For mobile sign ins, new device notification emails are sent based on the detection of a new mobile application and not the device used to sign in.
  • New device detection are not always fully guaranteed.
  • End users may receive an unexpected new or unknown device notification email if they have not signed-in to their accounts within 40 days.

For more information about end user notifications, see Customize an email template.

Troubleshooting

If you entered an incorrrect service site key in the Okta configuration, users will lose access to the Okta org. To reconfigure, first submit the following instructions to the CAPTCHA management public API.

curl -v -X PUT \ -H "Accept: application/json" \

-H "Content-Type: application/json" \

-H "Authorization: SSWS ${api_token}" \

-d '{"captchaId": null,

"enabledPages": null}'

"https://${yourOktaDomain}/api/v1/org/captcha"

Organization Settings

Configure global organization settings by going to Security > General > Organization.

"Remember Me" checkbox on sign in This setting displays or hides the Remember Me checkbox for end users at the sign-in screen. If an end user checks this feature and signs in, their username is remembered and displayed at sign-on until their browser cookies are cleared.
Activation emails are valid for Sets the link expiry in the account activation email sent to end users. For more information about email notifications, see Customize an email template.

User Enumeration Prevention

When this feature is enabled, your org is protected against attackers who attempt to identify user accounts and authenticator enrollments. Every new sign-in attempt from a device will show the password and email if authentication is allowed in the org.

If the user doesn't exist or can't sign in, they will receive an authenticator verification error, but no verification of the existence of the account will be provided.

Note: User Enumeration Prevention won't take effect if either of the following conditions are allowed:

For information on end-user sign-in attempts to Okta, see New user registration, activation, and sign-in experience.

Okta Mobile Settings

Changes to Okta Mobile security settings may take up to 24 hours to be applied to all the eligible end users in your org and for Okta to prompt those end users to update their PIN.

End-user notification for PIN change

PIN length

Specify the required number of digits for the PIN.

Allow simple PIN

Select the check box to permit the use of repeating, ascending, and descending numeric sequences (such as 1111, 1234, 4321, etc.).

Ask for PIN when user is inactive for

Specify how long users can be inactive before they are prompted to enter a PIN.

Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.

PIN expires after

Specify how long the PIN is valid before it expires.

Device trust

Select the check box to apply existing device trust app sign-on policies to apps that end users access through Okta Mobile. This setting is enabled by default. If you haven't configured device trust policies to apps, or if device trust is not enabled for your org (Security > Device Trust), selecting this setting has no effect.

Screen preview/capture (Android only)

When this option is selected, Android device users can't take screenshots, record videos, or share their screen from within Okta Mobile (other apps are not affected). Requires Okta Mobile 3.8.0 or later versions. For iOS device users, this option has no effect.

Sign on to SAML apps (iOS only)

This iOS-specific option allows users to access SAML apps in iOS Safari by using an extension.

Okta ThreatInsight

Okta ThreatInsight aggregates data across the Okta customer base and uses this data to detect malicious IP addresses that attempt credential-based attacks.

In order to prevent abuse, Okta ThreatInsight is working in limited capacity for free trial editions. Please contact Okta Support if fully functional Okta ThreatInsight is required.

See Okta ThreatInsight for more details about this feature.

Related topics

Okta sign-on policies

HealthInsight

Multifactor Authentication (MFA)

About Okta Mobile

Configure Okta Mobility Management (OMM) policies