Elevated Session

The Elevated Session Identity Validation implementation ensures that users cannot perform actions which may adjust the security characteristics of their account without first ensuring the user is adequately identified. The settings below therefore can affect the level of security Authelia provides to your users so they should be carefully considered.

Elevated Sessions are initiated by generating a One-Time Code, this One-Time Code is then exchanged for a special status stored in the session which allows the privileged actions. The elevation itself is anchored to the users Remote IP and only lasts for a finite amount of time. Users at this time may not revoke the elevated session manually, but may revoke the One-Time Code so that it cannot be used to create a new elevated session.

Configuration

Example Configuration

This section is intended as an example configuration to help users with a rough contextual layout of this configuration section, it is not intended to explain the options. The configuration shown may not be a valid configuration, and you should see the options section below and the navigation links to properly understand each option individually.

configuration.yml
identity_validation:
  elevated_session:
    code_lifespan: '5 minutes'
    elevation_lifespan: '10 minutes'
    characters: 8
    require_second_factor: false
    skip_second_factor: false

Options

This section describes the individual configuration options.

code_lifespan

string integer duration 5 minutes not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

The lifespan of the randomly generated One Time Code after which it’s considered invalid

elevation_lifespan

string integer duration 10 minutes not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

The lifespan of the elevation after initially validating the One-Time Code before it expires.

characters

integer 8 not required

The number of characters the random One-Time Code has. Maximum value is currently 20, but we recommend keeping it between 8 and 12. It’s strongly discouraged to reduce it below 8.

require_second_factor

boolean false not required

Requires second factor authentication for all protected actions in addition to the elevated session provided the user has configured a second factor authentication method.

skip_second_factor

boolean false not required

Skips the elevated session requirement if the user has performed second factor authentication. Can be combined with the require_second_factor option to always (and only) require second factor authentication.