Is the token lifetime configurable for factor verification codes sent by the Authn API?

When you enroll a factor or issue a factor challenge through the Factors API, there is an option to provide a tokenLifetimeSeconds parameter to control how long the verification code is valid.

Is there an equivalent parameter for the Authentication API?

As an example, a user logs in with /api/v1/authn and gets the MFA_REQUIRED response. This includes a link to verify a factor with a request to /api/v1/authn/factors/${factorId}/verify, which will respond with a MFA_CHALLENGE status. Each of these includes a field for "expiresAt" with a timestamp, but what determines what that timestamp will be? Is this "expiresAt" even related to the lifetime of the verification code or is it only related to the "stateToken"?

Is there a request parameter that can be sent? If not a request parameter, is there an org config setting that can be changed to influence the duration of the issued verification code?

I ask because I want to give our users a sense of how quickly they must act, but I would hate to give inaccurate information.

Relatedly, there does not seem to be a variable available in the Velocity template language related to the token lifetime either.

I received from an Okta Technical Support Engineer on a reply to a Support ticket with the following information:

  • The lifetime for SMS code is 5 minutes and cannot be adjusted.
  • The lifetime for Email code is 5 minutes and cannot be adjusted
  • The lifetime for Okta Verify code is 1 minute. This value is hardcoded and cannot be changed.
  • The lifetime for Google Authenticator code is 1 minute. This value is hardcoded and cannot be changed.

And while stumbling around in the Okta admin console, I discovered that is possible to adjust the email token lifetime. This setting page is available from the left bar, Security > Mutlifactor tab. The Edit button reveals a drop down selector with options from 5 to 30 minutes in 5 minute increments. I have shared this with the Okta support engineer as well.

It appears their information was correct about SMS, Okta Verify, and Google Authenticator options - there is not a similar lifetime setting nor edit button for those factor types from this same page.