Elevated Session

The Elevated Session Identity Validation implementation ensures that users cannot perform actions which may adjust the security characteristics of their account without first ensuring the user is adequately identified. The settings below therefore can affect the level of security Authelia provides to your users so they should be carefully considered.

Elevated Sessions are initiated by generating a One-Time Code, this One-Time Code is then exchanged for a special status stored in the session which allows the privileged actions. The elevation itself is anchored to the users Remote IP and only lasts for a finite amount of time. Users at this time may not revoke the elevated session manually, but may revoke the One-Time Code so that it cannot be used to create a new elevated session.


    code_lifespan: '5 minutes'
    elevation_lifespan: '10 minutes'
    characters: 8
    require_second_factor: false
    skip_second_factor: false


This section describes the individual configuration options.


string integer duration 5 minutes not required

The lifespan of the randomly generated One Time Code after which it’s considered invalid


string integer duration 10 minutes not required

The lifespan of the elevation after initially validating the One-Time Code before it expires.


integer 8 not required

The number of characters the random One-Time Code has. Maximum value is currently 20, but we recommend keeping it between 8 and 12. It’s strongly discouraged to reduce it below 8.


boolean false not required

Requires second factor authentication for all protected actions in addition to the elevated session provided the user has configured a second factor authentication method.


boolean false not required

Skips the elevated session requirement if the user has performed second factor authentication. Can be combined with the require_second_factor option to always (and only) require second factor authentication.