General Security

In General Security, you can configure security settings for your organization such as user notification emails, global org security settings, MFA for admins, and security policies for Okta Mobile users.

To access these settings in the Admin Console, navigate to Security > General.

Security Notification Emails

Configure notification emails for end users by going to Security > General > Security Notification Emails .

For more information about email notifications and template customization, refer to Email and SMS Options.

New sign-on notification email

End users receive an email notification if they sign in from a new or unrecognized client. This email contains user sign-on details such as the web browser and operating system used to sign in, in addition to the time and location of authentication. Refer to Limitations for more information about the limitations for identifying new clients.

Note: This feature is enabled by default for new orgs.

For more information, refer to Sign-on notifications for end users.

MFA enrolled notification email

End users are sent a confirmation email if they or an admin enroll in a new factor for their account.

Note: This feature is enabled by default for new orgs.

For more information, refer to Factor enrollment notifications for end users.

MFA reset notification email

End users are sent an email if they or an admin reset a factor for their account.

Note: This feature is enabled by default for new orgs.

For more information, refer to Factor reset notifications for end users.


Password changed notification email

End users receive an email notification if they change or reset the password for their account. This email contains password reset details such as the time and location of the password reset.

Note:

  • If an admin sets a temporary password, the end user receives an email notification only after they have changed their password from the temporary password.
  • End user notifications for passwords reset using delegated authentication (DelAuth) is not supported.

Report suspicious activity via email

Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification. See Suspicious Activity Reporting.

New sign-on notification emails

New sign-on notification emails complement other security features such as multifactor authentication and should not act as a replacement. In most scenarios, clients are easily and accurately identified but there are some limitations.

Notification emails for new device sign-on are triggered when a new client is identified based on an end user's browser cookies or fingerprint.

A client can be considered new in one or more of the following scenarios:

  • New browser type or version
  • New OS type or version
  • New or updated application
  • Unrecognized browser or OS (appears as Unknown in the notification email)

If the authentication is not recognized, end users should contact their admin immediately to investigate their account activity. The admin can perform actions such as terminating a user's sessions, lock the user's account, and add multifactor authentication to improve security.

Limitations

There are some limitations that present a challenge for identification. Enabling email notifications in addition to other identifiers such as a new IP address or new location provides improved accuracy when identifying suspicious activity on an end user's account.

The current limitations for identifying new clients are as follows:

  • Device fingerprints are not captured over non-authentication and widget flows.
  • New device notifications are generated occasionally when a device fingerprint is generated based on a change in the OS or browser.
  • The device fingerprint is based on the browser in use. The end user will receive a new device notification email if they sign in with a new browser.
  • For mobile logins, new device notification emails are sent based on the detection of a new mobile application and not the device used to log in.
  • New device detection cannot always be fully guaranteed.
  • End users may receive an unexpected new or unknown device notification email if they have not signed in to their accounts within 40 days.

For more information about end user notifications, refer to Email and SMS Options.

Organization Settings

Configure global organization settings by going to Security > General > Organization.

"Remember Me" checkbox on sign in

This setting displays or hides the Remember Me checkbox for end users at the sign-in screen. If an end user checks this feature and signs in, their username is remembered and displayed at sign-on until their browser cookies are cleared.

Activation emails are valid for

Sets the link expiry in the account activation email sent to end users. For more information about email notifications, refer to Email and SMS Options.


Okta Mobile Settings

Changes to Okta Mobile security settings may take up to 24 hours to be applied to all the eligible end users in your org and for Okta to prompt those end users to update their PIN. ClosedScreenshot

 

Go to Security > General > Okta Mobile to configure the following:

PIN length

Specify the required number of digits for the PIN.

Allow simple PIN

Select to permit the use of repeating, ascending, and descending numeric sequences (such as 1111, 1234, 4321, etc.).

Ask for PIN when user is inactive for

Specify how long users can be inactive before they are prompted to enter a PIN. ClosedMore

Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.

PIN expires after Specify how long the PIN is valid before it expires. ClosedMore

Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.

Device trust Select to apply existing device trust app sign-on policies to apps that end users access through Okta Mobile. This setting is enabled by default. If you have not configured device trust policies to apps, or if device trust is not enabled for your org (Security > Device Trust), selecting this setting has no effect.
Screen preview/capture (Android only) When this option is selected, Android device users cannot take screenshots, record videos, or share their screen from within Okta Mobile (other apps are not affected). Requires Okta Mobile 3.8.0+ for Android. For iOS device users, this option has no effect.
Sign on to SAML apps (iOS only) This iOS-specific option allows access to SAML apps in iOS Safari using an iOS Safari extension.

Okta ThreatInsight

ThreatInsight aggregates data across the Okta customer base and uses this data to detect malicious IP addresses that attempt credential-based attacks.

See Okta ThreatInsight for more details about this feature.

MFA for Admins

Super admins can enable mandatory multifactor authentication for all administrators signing in to Okta Administration.

Related topics

Security Policies

HealthInsight

Multifactor Authentication

Okta Mobile

Okta Mobility Management policies