Change the authentication frequency

If the MFA lifetime is shorter than your session expiration length, users with active sessions don't authenticate when their MFA expires.

HealthInsight task recommendation

In your global session policy or authentication policy, shorten the amount of time that a user can be idle. Require users to provide MFA every time they sign in.

Okta recommends

To increase the authentication frequency for all resources, configure these conditions in your global session policy:

  • Set your session expiration to a shorter duration

  • Require MFA at every sign-in attempt

To increase the authentication frequency for specific apps, add them to an authentication policy with your desired session length and MFA lifetimes.

Security impact Moderate
End-user impact

Moderate

Session times aligned with the MFA lifetime that you configure. Users authenticate more frequently.

Increase authentication frequency for all resources

  1. In the Admin Console, go to SecurityGlobal Session Policy.

  2. Select the policy that you want to edit.

  3. In the Rules table, locate the rule that you want to edit and make these updates:

    • Multifactor authentication (MFA) is: Required

    • Users will be prompted for MFA: At every sign-in attempt

    • Max Okta session lifetime: Set time limit in days, hours, or minutes

  4. Click Update Rule.

Increase authentication frequency for specific resources

  1. Create an authentication policy.

  2. Add an authentication policy rule. For Re-authentication frequency is, select Every sign-in attempt.

  3. On the Authentication Policies page, select the policy you created.

  4. Select the Applications tab, and then click Add App.

  5. Click Add for each app you want to add to this policy.

  6. Click Close.

Related topics

Create a global session policy

Edit a global session policy