Enforce a limited session lifetime for all policies
Session lifetime determines the maximum idle time of an end user's sign-on session to Okta. Lowering this value decreases the risk of malicious third party access to a user's applications from an active session.
The maximum time allowed time for this setting is 90 days. The default session lifetime is 2 hours. On the end-user dashboard, a countdown timer appears at the 5-minute mark of remaining session time.
HealthInsight: Why is this task recommended?
This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.
Enforce a limited session lifetime in your org policies to reduce the risk of malicious third party access to an end user's applications (when an end-user session is active).
End-user experience and impact
End users using the end user dashboard will receive a countdown prompt based on the set duration once there are five minutes remaining in the active session.
To set the session lifetime for a policy:
- From the admin console, navigate to Security > Authentication.
- Click Sign On.
- Click Add Rule or Edit to modify an existing policy rule.
- Under Session expires after, set the session lifetime duration in minutes, hours, or days.
- Click Create Rule or Save Rule once your changes have been made.