Long-Lived Okta Authentication in Mobile App

Hi, currently I’m tasked with the following requirements:

  • Create a mobile app that the user logs into Okta with.
  • The user stays permanently logged into Okta (not just a client application, ALL of our org’s Okta), for as long as possible, until they choose to log out.
  • The user can visit any Okta app that’s assigned to them via in-app browser.

I have the following ideas for how to do this:

  1. The app saves the user’s username/password into secure storage, and uses it to authenticate against Okta every time their session is expired. I don’t like the idea of handling passwords like this. Also, we want to not require MFA if logging in using biometrics like this.

  2. We set the Okta session policy to last 7 days at idle, and then refresh the Okta session when they open the app. The security people aren’t going to like sessions lasting that long.

Am I missing a better way to do this? Which approach would you go for? I am aware that there is already an Okta mobile app that pretty much does this, but we (management) want our own custom solution.

Thanks for reading!