General Security

Configure various global org security settings such as user notification emails, security policies for Okta Mobile users, and Okta ThreatInsight.

To access these settings in the Admin Console, go to SecurityGeneral.

Security Notification Emails

Configure notification emails for end users by going to SecurityGeneralSecurity Notification Emails.

For more information about email notifications and template customization, see Customize an email template.

If a notification email doesn't reach its recipient, an event that indicates the cause of the delivery failure (delivered, deferred, dropped, or bounced) appears in the System Log.

New sign-on notification email

End users receive an email notification if they sign in from a new or unrecognized client. This email contains user sign-on details such as the web browser and operating system used to sign in, in addition to the time and location of authentication. See New sign-on notification emails for more information about the limitations for identifying new clients.

Note: This feature is disabled by default for new orgs.

For more information, see Sign-on notifications for end users.

MFA enrolled notification email

End users are sent a confirmation email if they or an admin enroll in a new factor for their account.

Note: This feature is enabled by default for new orgs.

For more information, refer to Factor enrollment notifications for end users.

MFA reset notification email

End users are sent an email if they or an admin reset factor for their account.

Note: This feature is enabled by default for new orgs.

For more information, refer to Factor reset notifications for end users.

Password changed notification email

End users receive an email notification if they change or reset the password for their account. This email contains password reset details such as the time and location of the password reset.

Note:

  • If an admin sets a temporary password, the end user receives an email notification only after they've changed their password from the temporary password.
  • End-user notifications for passwords reset using delegated authentication (DelAuth) isn't supported.
  • An email notification isn't sent to end users if the user is inactive.

For more information, refer to Password changed notification for end users.

Report suspicious activity via email

Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification. See Suspicious Activity Reporting.

New sign-on notification emails

New sign-on notification emails complement other security features such as multifactor authentication and shouldn't act as a replacement. In most scenarios, clients are easily and accurately identified but there are some limitations.

Notification emails for a new device sign-in are triggered when a new client is identified based on an end user's browser cookies or fingerprint.

A client can be considered new in one or more of the following scenarios:

  • New browser type or version
  • New operating system type or version
  • New or updated application
  • Unrecognized browser or operating system (appears as Unknown in the notification email)

If the authentication isn't recognized, end users should contact their admin immediately to investigate their account activity. The admin can perform actions such as terminating a user's sessions, locking the user's account, and adding multifactor authentication to improve security.

Limitations

There are some limitations that present a challenge for identification. Enabling email notifications in addition to other identifiers such as a new IP address or new location provides improved accuracy when identifying suspicious activity on an end user's account.

The current limitations for identifying new clients are as follows:

  • Device fingerprints are captured after a successful sign-in.
  • New device notifications may be generated when there's a change to the user's operating system or browser.
  • New device notifications aren't generated for a sign-in initiated by non-Okta Identity Providers.
  • The device fingerprint is based on the browser in use. The end user receives a new device notification email if they sign in with a new browser type.
  • For mobile sign-ins, new device notification emails are sent based on detecting a new mobile application and not the device used to sign in.
  • New device detection isn't always fully guaranteed.
  • End users may receive an unexpected new or unknown device notification email if they have not signed-in to their accounts within 40 days.

For more information about end-user notifications, see Customize an email template.

Organization Security

Configure global organization settings by going to SecurityGeneralOrganization Security.

IP binding for Admin Console This setting associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log.
Early Access release. See Manage Early Access and Beta features.
"Remember Me" checkbox on sign in This setting displays or hides the Remember Me checkbox for end users at the sign-in page. If an end user checks this feature and signs in, their username is remembered and displayed at sign-on until their browser cookies are cleared.
Activation emails are valid for Sets the link expiry in the account activation email sent to end users. For more information about email notifications, see Customize an email template.
Enforce device binding for creating sessions Device binding ensures that redirect requests are used only in the browser where they were generated. You can disable this feature for compatibility with Classic Engine, but Okta recommends against it. If you disable this feature, Okta bypasses the checks that ensure state tokens are redeemed only by the actor who initiated the authentication flow.
Username match criteria on sign in This setting determines how a user profile is matched when they sign in. If you select Match entire username, users can't sign in unless they enter their full username including the domain. If you select Allow short match, users can sign in without their domain.
Users can view Recent Activity This setting enables the Recent Activity page for users. This page displays a user's recent sign-in activity and security events for their accounts.

Okta Mobile Settings

Changes to Okta Mobile security settings may take up to 24 hours to be applied to all the eligible end users in your org and for Okta to prompt those end users to update their PIN.

End-user notification for PIN change

PIN length

Specify the required number of digits for the PIN.

Allow simple PIN

Select the check box to permit the use of repeating, ascending, and descending numeric sequences (such as 1111, 1234, 4321, etc.).

Ask for PIN when user is inactive for

Specify how long users can be inactive before they are prompted to enter a PIN.

Users must re-authenticate after prolonged Okta Mobile inactivity. Users who haven't used Okta Mobile for 30 days or longer, are prompted to enter their Okta credentials when they eventually open Okta Mobile. This occurs because Okta Mobile relies on an internal token for authentication that expires after 30 days of inactivity. This token expiration is different than PIN and MFA expiration occurrences.

PIN expires after

Specify how long the PIN is valid before it expires.

Device trust

Select the check box to apply existing device trust authentication policies to apps that end users access through Okta Mobile. This setting is enabled by default. If you haven't configured device trust policies to apps, or if device trust is not enabled for your org (Security > Device Trust), selecting this setting has no effect.

Screen preview/capture (Android only)

When this option is selected, Android device users can't take screenshots, record videos, or share their screen from within Okta Mobile. Other apps are not affected. Requires Okta Mobile 3.8.0 or later versions. For iOS device users, this option has no effect.

Sign on to SAML apps (iOS only)

This iOS-specific option allows users to access SAML apps in iOS Safari by using an extension.

Okta ThreatInsight

Okta ThreatInsight aggregates data across the Okta customer base and uses this data to detect malicious IP addresses that attempt credential-based attacks.

To prevent abuse, Okta ThreatInsight is working in limited capacity for free trial editions. Contact Okta Support if fully functional Okta ThreatInsight is required.

See Okta ThreatInsight for more details about this feature.

Related topics

Okta sign-on policies

HealthInsight

Multifactor Authentication

About Okta Mobile

Configure OMM policies