How Okta Mobile works with MFA and Session Expiration settings

Learn how Multifactor Authentication (MFA) and session expiration settings interact with end-user MFA options on Android and iOS devices.

Options that you configure in the Okta Admin Console interact with mobile device-user settings and the state of the Okta Mobile app. This interaction determines when users are challenged for MFA or prompted to use a PIN, fingerprint, or Face ID to unlock .

Okta Mobile on iOS devices
Okta Mobile on Android devices

on iOS devices

Admin sets the Sign On Policy Rule: Prompt for Factor	User selects the option "Do not challenge me on this device"	User DOESN'T select the option "Do not challenge me on this device"
Per device	Okta prompts users for MFA when they launch for the first time. No MFA prompt in subsequent sessions.	Expected behavior: Okta prompts users for MFA whenever they launch or unlock . Known issue: Okta prompts users for MFA only when users are launching and first time users unlock after an expired session.
Every time	The Do not challenge me on this device option isn't available in . Okta prompts for MFA whenever users launch or unlock Okta Mobile.
Per session	Okta doesn't prompt users for MFA when they launch or unlock during the time period you specified in the Factor Lifetime setting. Users see but can't change the Factor Lifetime value.	Expected behavior: Okta prompts users for MFA whenever they launch or unlock . The Factor Lifetime setting has no effect. Known issues: If users close and re-launch it before the specified Factor Lifetime, they are NOT prompted for MFA, although they should be. If users close and re-launch it after the specified Factor Lifetime, they are prompted for MFA as expected. However, the Do not challenge me on this device option is selected although the users didn't choose it.

Options in the Okta Admin Console	Okta Mobile State
Options in the Okta Admin Console	is in the foreground and idle For example, 11 minutes	is in the background or locked For example, 11 minutes
Session expires after For example, 10 minutes: SecurityAuthenticationSign On tab	The user session remains active. isn't locked.	The user session expired or the PIN timed out and is locked. Okta prompts the user for a PIN or fingerprint when they try to unlock .
Ask for PIN when user is inactive for For example, 10 minutes: SecurityGeneralOkta Mobile	Expected behavior: is locked and Okta prompts the user for a PIN or fingerprint when they try to unlock the app. Known issue: The user inactivity setting isn't applied. remains active and the user can continue to use the app without entering a PIN.

on Android devices

Admin sets the Sign On Policy Rule: Prompt for Factor	User selects the option "Do not challenge me on this device"	User DOESN'T select the option "Do not challenge me on this device"
Per Device	Okta prompts users for MFA when they launch for the first time. No MFA prompt in subsequent sessions.	Okta prompts users for MFA whenever they launch or unlock .
Every time	The Do not challenge me on this device option isn't available in . Okta prompts for MFA whenever users launch or unlock Okta Mobile.
Per session	Okta doesn't prompt users for MFA when they launch or unlock during the time period you specified in the Factor Lifetime setting. Users see but can't change the Factor Lifetime value.	Okta prompts users for MFA whenever they launch or unlock . The Factor Lifetime setting has no effect.

Options in the Okta Admin Console	Okta Mobile State
Options in the Okta Admin Console	is in the foreground and idle For example, 11 minutes	is in the background or locked For example, 11 minutes
Session expires after For example, 10 minutes: SecurityAuthenticationSign On tab	The user session remains active. isn't locked.	Expected behavior: The user session expired or the PIN timed out and is locked. Okta prompts the user for a PIN or fingerprint when they try to unlock . Known issue: The session expiration setting isn't applied. remains active and the user can continue to use the app without entering a PIN.
Ask for PIN when user is inactive for For example, 10 minutes: SecurityGeneralOkta Mobile	Expected behavior: is locked and Okta prompts the user for a PIN or fingerprint when they try to unlock the app. Known issue: The user inactivity setting isn't applied. remains active and the user can continue to use the app without entering a PIN.

How Okta Mobile works with MFA and Session Expiration settings

on iOS devices

on Android devices

Related Topics Multifactor Authentication (MFA)

Related Topics
Multifactor Authentication (MFA)