Enforce a limited session lifetime for all policies

Session lifetime determines the maximum idle time of an end user's sign-on session to Okta. Lowering this value decreases the risk of malicious third party access to a user's applications from an active session.

The maximum time allowed time for this setting is 90 days. The default session lifetime is two hours. On the end-user dashboard, a countdown timer appears at the five-minute mark of remaining session time.

HealthInsight task recommendation

Enforce a limited session lifetime in your org policies to reduce the risk of malicious third-party access to an end user's applications (when an end-user session is active).

Okta recommends

A session lifetime of two hours or less.

Security impact

High

End-user impact

Moderate

End users using the end user dashboard will receive a countdown prompt based on the set duration once there are five minutes remaining in the active session.

Set the session lifetime for a policy

  1. From the Admin Console, navigate to Security > Authentication.
  2. Click Sign On.
  3. Click Add Rule or Edit to modify an existing policy rule.
  4. Under Session expires after, set the session lifetime duration in minutes, hours, or days.

    Blacklisting an IP zone from the admin console.

  5. Click Create Rule or Save Rule once your changes have been made.

Related topics

HealthInsight tasks and recommendations

About Network Zones

General Security

Sign-on policies