Change the authentication frequency
If the MFA lifetime is shorter than your session expiration length, users with active sessions don't authenticate when their MFA expires.
HealthInsight task recommendation
In your global session policy or authentication policy, shorten the amount of time that a user can be idle. Require users to provide MFA every time they sign in.
| Okta recommends |
To increase the authentication frequency for all resources, configure these conditions in your global session policy:
To increase the authentication frequency for specific apps, add them to an authentication policy with your desired session length and MFA lifetimes. |
| Security impact | Moderate |
| End-user impact |
Moderate Session times aligned with the MFA lifetime that you configure. Users authenticate more frequently. |
Increase authentication frequency for all resources
-
In the Admin Console, go to .
-
Select the policy that you want to edit.
-
In the Rules table, locate the rule that you want to edit and make these updates:
-
Multifactor authentication (MFA) is: Required
-
Users will be prompted for MFA: At every sign-in attempt
-
Max Okta session lifetime: Set time limit in days, hours, or minutes
-
-
Click Update Rule.
Increase authentication frequency for specific resources
-
Add an authentication policy rule. For Re-authentication frequency is, select Every sign-in attempt.
-
On the Authentication Policies page, select the policy you created.
-
Select the Applications tab, and then click Add App.
-
Click Add for each app you want to add to this policy.
-
Click Close.