Keep me signed in
Early Access release. See Enable self-service features.
Keep me signed in (KMSI) is a usability feature that reduces sign-in friction on remembered devices. After successful authentication, users who select Keep me signed in don't receive subsequent MFA prompts until the MFA lifetime expires or their browser cookies are cleared.
Use of this feature may increase your attack surface and may not be appropriate for public sector and highly regulated customers, shared devices, or accounts or apps with access to sensitive data.
If you don't enable this EA feature, your navigation is different. See Keep me signed in (GA).
How it works
You can configure the feature so that the KMSI prompt appears before or after users authenticate.
-
In standard authentication flows, users go directly to an app or your org's sign-in page and enter their credentials. Configure pre-authentication KMSI if you want to display the prompt on the Sign-In Widget when they enter their credentials. Configure post-authentication KMSI if you want them to see the prompt after their authentication is complete.
-
In delegated authentication flows, users bypass the Sign-In Widget and sign in with an identity provider. Configure post-authentication KMSI for these users, so that the KMSI option appears after they authenticate and are redirected back to Okta.
Configure pre-authentication KMSI
Pre-authentication KMSI is set in the Organization Security settings and uses the MFA lifetime from your global session policy. Once enabled, it's available to all users in your org.
Enable the feature
-
In the Admin Console, go to .
-
In the Organization Security section, click Edit.
-
Enable the setting to Show option to stay signed in before users sign in.
-
Click Save.
Modify your policies
-
Create a global session policy or Edit a global session policy.
-
Set the following rule conditions:
-
Multifactor authentication (MFA) is: Required
-
Users will be prompted for MFA: After MFA lifetime expires for the device cookie
-
-
To extend the Keep me signed in feature to an app, update its authentication policy.
-
Set the following rule conditions:
-
User must authenticate with: 2 factor types (either option)
-
Prompt for authentication: When an Okta global session doesn't exist
-
Configure post-authentication KMSI
Post-authentication KMSI is set at the app level in an authentication policy, so you can configure it on a per-app basis. You also need to modify your global session policy so that your intended KMSI duration is observed.
Modify your global session policy
-
In the Admin Console, go to .
-
Select the default policy, and then click Edit.
-
Set the following IF conditions:
-
User's IP is: Anywhere
-
Identity provider is: Leave blank
-
Authenticates via: Any
-
Behavior is: Leave blank
-
Risk is: Leave blank
-
-
Set the following THEN conditions:
-
Access is: Allowed
-
Establish the user session with: Any factor used to meet the Authentication Policy requirements
-
Multifactor authentication (MFA) is: Not required
-
Maximum Okta global session lifetime: No time limit
-
Maximum Okta global session idle time: 2 hours
-
Okta global session cookies persist across: Disabled
-
-
Click Save.
Create an authentication policy for post-authentication KMSI
-
In the Admin Console, go to .
-
Select the Any two factors policy.
-
In the Actions menu of the catch-all rule, select Edit.
-
Set the following IF conditions.
-
User type: Any user type
-
User group membership includes: Any group
-
User is: Any user
-
Device state is: Any
-
Device assurance policy is: No policy
-
Device platform is: Any platform
-
User's IP is: Any IP
-
Risk is: Any
-
The following custom expression is true: Leave blank
-
-
Set the following THEN conditions.
-
Access is: Allowed after successful authentication
-
User must authenticate with: Any 2 factor types
-
Possession factor constraints are: Require user interaction (or choose the additional constraints that your org requires)
-
Authentication methods: Allow specific authentication methods (and then enter the authenticators you want to allow)
-
Option to stay signed in: Show after users sign in
-
Show when not previously shown on the user's current device in the past: 7 days
-
Prompt for authentication: When it's been over a specified length of time since the user accessed any resource protected by the active Okta global session
-
Time since last sign in: 7 days
-
-
Click Save.
-
Go to the policy's Applications tab.
-
Add apps to the policy by clicking Add app or Switch policy.
You can adapt this configuration to your own use cases, but the last two conditions are integral to KMSI. If your global session policy doesn't require MFA, your authentication policy must prompt for authentication when it's been over the specified length of time. If you select a different setting, the KMSI prompt appears more frequently but doesn't retain the user's choice.
If the global session policy requires MFA, the authentication policy can prompt for authentication when it's been over a specified length of time or when no global session exists.
For a seamless user experience, keep the durations for the Option to stay signed in consistent with the Prompt for authentication. If they don't match, users may not see the Keep me signed in prompt after being prompted for MFA.
User experience
In a pre-authentication KMSI flow, users select Keep me signed in when they enter their username in the Sign-In Widget, and then they provide MFA to complete their authentication.
In a post-authentication KMSI flow, users who go to your org's sign-in page may be redirected to an identity provider before they can select Keep me signed in. After authenticating, these users select Stay signed in when they're redirected back to Okta.
In either case, users who select Keep me signed in are remembered on their device for the duration set in your authentication policy. They can manually reset the KMSI prompt and clear all sessions by opening their dashboard account settings menu and selecting Sign out (in the End All Sessions section). The next time the user accesses your org, the Keep me signed in option appears.
Keep me signed in (GA)
In the generally available version of this feature, both display options are available in the Organization Security settings. Because this is a global setting, you can't configure it on a per-app basis.
- In the Admin Console, go to .
- In the Organizational Security section, click Edit.
-
To show the option on the Sign-In Widget only, enable the feature, and then select Before users sign in. This is the default setting.
-
To show the option on the Sign-In Widget and after users authenticate, enable the feature, and then select Before and after users sign in. This option is recommended for orgs that use delegated authentication or identity providers.
-
Click Save.
Modify your policies
Be sure that the rules in your global session and authentication policies accommodate the KMSI feature.
-
Create a global session policy or Edit a global session policy.
-
Set the following rule conditions:
-
Multifactor authentication (MFA) is: Required
-
Users will be prompted for MFA: After MFA lifetime expires for the device cookie
-
-
To extend the Keep me signed in feature to an app, update its authentication policy.
-
Set the following rule conditions:
-
User must authenticate with: 2 factor types (either option)
-
Prompt for authentication: When an Okta global session doesn't exist
-