How do I detect a Factor expiration using OKTA APIs

How do I detect a Factor expiration using OKTA APIs, as determined by the “Factor lifetime” setting of a “Per Session” Authentication Security Sign-on policy rule

Are you looking to check what the policy has as the factor lifetime? You should find it in the signon action object within your Okta Sign On Rules: Policy | Okta Developer

No. Following user id and password entry in the client and successful execution of the authentication API call with those two values, I am looking to detect (also via the OKTA API ) if the time period defined by the “Factor Lifetime” has passed since the last time that user has verified successfully with an OTP sent to that factor. Essentially, I do not want to prompt the user for verification using any factors, until that previously verified Factor Lifetime is over. We do not embed the OKTA Widget in our Web App, but implement our own pages for the login flow with MFA, and call OKTA REST APIs for all login steps (authentication, factor enroll/activate first time or send/verify if not first time, then navigate to our app dashboard after that ). Let me know. Thank you, Mick ( I also have case 01119932 open and escalated to your OKTA Dev team from OKTA Support, but have not heard back yet. I suppose I could save a timestamp on our server for when that user verified the factor last time and compare it to current timestamp minus Factor lifetime, but I wonder if I could detect Factor Lifetime expiration via OKTA API calls somehow.

Solution implemented by checking logs, and making the user verify via factor only when a log no longer exists for that operation in that Factor Lifetime as defined by the policy, as follows:

  • {{url}}/api/v1/logs?filter=eventType eq “user.authentication.auth_via_mfa” and outcome.result eq “SUCCESS” and eq “00uhprcoy2UXrtTF55d6” &since=2021-06-05T04:03:05.057Z

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.