The Authentication tab under Settings lets administrators set the organization's:
- Web session timeout
- MFA (multi-factor authentication)

Here, admins configure a session timeout for a single login to the Fordefi Web console - for all users in the organization. When the timeout has lapsed since the start of the session, the user is automatically logged off.
When a user belongs to more than one organization, the shortest timeout session defined for that user, across all organizations, is effective.
- The web console inactivity timeout is fixed at 24 hours. This means that even if you set the session timeout to be longer than 24 hours, then, for added security, the user will still be logged out if they are inactive for 24 hours.
- The web console timeout setting has no affect on the length of mobile sessions.
Here's how you set the web console timeout:
- In the web console, click Settings > Authentication.
- In the screen that is displayed, click Edit in the upper-right.
- In the field and list that open, specify the desired number of hours and minutes.
- Click Save.
MFA is optional for an organization and is activated globally by an administrator for all users in the organization. When activated, users must set up MFA for their account on their next login.
As part of the activation, admins can choose whether to enable the option “remember this device for 30 days” for users. If not enabled, MFA is required on every login.
To activate MFA:
- In the web console, click Settings > Authentication.
- Click Turn on MFA. Confirm the activation in the notification that is displayed.
- If you so choose, toggle on Remember this device for 30 days.
- Supported MFA methods are TOTP (available through apps such as Google Authenticator or Yubico Authenticator) and WebAuthn security keys (such as a YubiKey). Users manage their own MFA methods from their profile's Authentication settings
- For security reasons, once MFA is turned on for an organization, it cannot be turned off. To reset MFA, contact Fordefi support.
When an organization has MFA activated, each user's account is tied to a single login method, coupled with the MFA the user set up for that method.
Coupling each MFA-enabled account to one login method keeps MFA coverage consistent and the sign-in experience clear.
This applies only to organizations where an admin has mandated MFA. If MFA is not activated for your organization, users can continue to sign in using any of the supported login methods - email and password OR passkey, Google, Microsoft, or Apple social login, or Okta SSO - with no change.
If a user in an MFA-enabled organization needs to change the login method coupled with their account, contact Fordefi support at support@fordefi.com.
You can add Fordefi to the applications in your organization that require authentication and authorization under Okta SSO using the OIDC (OpenID Connect) protocol. Once integration is complete, users seeking to log in to Fordefi will be signed in through Okta instead.
The integration is applied across all workspaces in your Fordefi organization and there is no expected downtime during the transition.
Once Okta SSO is enabled, every user whose email matches your configured Okta domain(s) (for example, acme.com) will no longer be able to sign in with a username and password. They will only be able to authenticate through Okta or another configured SSO method (such as Google SSO).
Before requesting the cutover, make sure that every Fordefi user on those domains has an active Okta account tied to the same email address they use for Fordefi. This prevents anyone from being locked out after the switch.
When configuring your Okta application, use the following values:
- Redirect URI (sign-in redirect URI):
https://auth.fordefi.com/login/callback - Logout redirect URI: Not required - Fordefi does not trigger a logout redirect on Okta, so you can leave this field empty.
- Login URL (if needed for your configuration):
app.fordefi.com
Reach out to Fordefi Customer Service at support@fordefi.com with the following information:
- The
client_idof your Okta application. - The
client_secretof your Okta application, please share it securely using 1Password item sharing or an equivalent secure channel. - Your Okta domain, in the format
my-domain.okta.com. - The email domain(s) that should be redirected to Okta authentication (for example,
acme.com).
Once Fordefi receives and configures these details, SSO will be enabled for your organization — no further action is required on your side.
If your Fordefi workspace has MFA activated, be aware that once Okta SSO is enabled, all workspace users will need to create a new MFA record. Fordefi treats Okta as a new login method, so existing MFA registrations do not carry over.