Introducing Universal Logout for all Adaptive MFA customers

Secure sessions, on your own terms. Okta is expanding the power of Universal Logout to more customers, providing better control over session management so that you can strengthen your organization’s security posture with minimal complexity.

The power of Universal Logout for session security 

Managing sessions and tokens across distributed applications has long challenged identity teams. Universal Logout is a powerful capability that allows admins to revoke sessions and tokens across federated applications.

Starting today, Universal Logout is now available for all Okta Adaptive MFA customers (with some restrictions as stated below). This feature enables Super Admins to manually clear sessions and revoke tokens from the Okta Admin Console, expanding their security toolkit for session management.

Why change?

Whether responding to a compromised session, meeting compliance mandates, or cleaning up stale sessions, revoking all user access in a timely and effective manner is a critical capability.

Without Universal Logout, even if a user’s Okta session is cleared, downstream app sessions (sessions from the other applications that the user signed in to) might still be active, leaving a critical security gap. AMFA customers previously lacked a reliable, built-in way to close that gap.

What’s new for Adaptive MFA customers?

Before today, Adaptive MFA customers were able to leverage session management capabilities like

• Clear all Okta sessions (active sessions on all devices)
• Revoke OIDC/OAuth tokens, requiring fresh re-authentication
• Clear “Keep me signed in” states

With this launch, AMFA Super Admins can now:

• Revoke access for logout-enabled apps and Okta API tokens

But there are some important restrictions to be aware of:
 

*Note: This means Super Admins can manually revoke access for three users per minute via the Okta Admin Console but can’t currently automate this process via API or Workflows integrations.

Why choose Okta?

This enhancement underscores Okta’s Secure Identity Commitment by expanding advanced security capabilities to more customers. We're helping more organizations reduce session-related risks and respond quickly to security incidents.

And because you can access the feature through a familiar admin console, there's no need for complex setup or reconfiguration.

What you can do today

Curious about how you can access Adaptive MFA? Wonder no more.

• If you're an Adaptive MFA customer, you can access Universal Logout from the Okta Admin Console today.
• Not yet on Adaptive MFA? Learn how Adaptive MFA helps protect against phishing and session hijacking: Explore Adaptive MFA
• If you’re an Identity Threat Protection customer, good news: You already enjoy full Universal Logout functionality, including API-based triggers and automation.

Your feedback helps shape our product roadmap. Let us know how you’re using Universal Logout and what capabilities you'd like to see next.

Get started

Ready to start using Universal Logout? Follow these simple instructions:

• Configure Universal Logout for an application. 
• Once configured, log in to the Okta Admin Console → Navigate to a user profile → Click More Actions → Clear sessions and revoke tokens
  
• Learn more about Universal Logout in our help docs.
• Want to try out building UL? Sign up for the Okta Dev Org

These materials are intended for general informational purposes only and are not intended to be legal, privacy, security, compliance, or business advice.