Question
In Access Control, why is it that even when OTP (One-Time Password) authentication is required under certain conditions, OTP is sometimes not requested when logging in to integrations?
Answer
In Access Control, even if OTP authentication is configured to be required under certain conditions, OTP may be skipped during authentication due to the influence of the browser's cookies.
This article explains the conditions under which OTP re-entry is required and the expiration settings that admins can configure.
How OTP Authentication Becomes Unnecessary to Re-enter
Once OTP authentication is completed, the authentication result is saved in the browser's cookie.
Even if Access Control authentication is required by a service, as long as the cookie is valid and the same browser is used, OTP re-entry will not be required.
When Cookies Become Invalid
If any of the following apply, the authentication cookie will become invalid and OTP re-entry will be required.
- If you authenticate without selecting "Remember this login" and then close the browser
- If you clear the browser's cache or cookies
- If the source IP address changes (E.g., switching from an internal network to an external network)
- If the authentication cookie expires
[Authentication Cookie Expiration] Settings
Admins can configure the [Authentication Cookie Expiration] in the [Access Policy Groups] settings of the Access Control admin console.
This setting allows you to change the period during which the cookie saved after OTP authentication remains valid.
For details on the behavior when "Remember this login" is selected, please refer to the following article.
[Access Control] How to Use the "Remember this login" Feature on the Login Screen