Enforce a limited session lifetime for all policies
Session lifetime determines the maximum idle time of an end user's sign-on session to Okta. Lowering this value decreases the risk of malicious third party access to a user's applications from an active session.
The maximum time allowed time for this setting is 90 days. The default session lifetime is two hours. On the end-user dashboard, a countdown timer appears at the five-minute mark of remaining session time.
HealthInsight task recommendation
Enforce a limited session lifetime in your org policies to reduce the risk of malicious third party access to an end user's applications (when an end-user session is active).
Okta recommends |
A session lifetime of two hours or less. |
Security impact |
High |
End-user impact |
Moderate End users using the end user dashboard will receive a countdown prompt based on the set duration once there are five minutes remaining in the active session. |
Set the session lifetime for a policy
- From the Admin Console, navigate to Security > Authentication.
- Click Sign On.
- Click Add Rule or Edit to modify an existing policy rule.
- Under Session expires after, set the session lifetime duration in minutes, hours, or days.
- Click Create Rule or Save Rule once your changes have been made.
Related topics
HealthInsight tasks and recommendations
© 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.