Authenticator expiration time

  • Updated on Nov 19, 2025
  • Published on Jul 7, 2025
  • 1 minute(s) read
Prev Next

The authenticator expiration time defines a particular date and time when an authenticator expires and can no longer be used for authentication. This will enable administrators to have more control over which authenticator is active or not. An authenticator will not validate authentications after the expiration time.

Setting the authenticator expiration time

The expiration time is set when the authenticator is assigned:

Individual assignment

The expiration time is defined during assignment.

Bulk assignment

The expiration time is defined during assignment.

Auto assignment

The expiration time will be calculated as the current date and time plus the expiration period defined in the policy. This may result in an expiration time and time which is not the end of the day. If no expiration period is defined in the policy, the authenticator will never expire.

For regular authenticators (standard-device licensing) and for authenticator licenses (multi-device licensing), the authenticator expiration time is set as calculated. Authenticator instances will inherit the authenticator expiration time of the linked authenticator license.

Editing the authenticator expiration time

You can explicitly set and edit the authenticator expiration time manually using the Administration Web Interface. This can also be used to add an authenticator expiration time to existing authenticators, which are already assigned to users.

For regular authenticators (standard-device licensing), the authenticator expiration time may be changed to any time in the future. For authenticator licenses and instances (multi-device licensing), the authenticator expiration time may be changed depending on the global Propagate expiration time setting.

Removing the authenticator expiration time

Authenticator expiration times can be removed by clearing the Expiry Date field on the authenticator management screen in the Administration Web Interface. An authenticator that has already expired will regain all its functionality if the expiration time is removed.

When an authenticator is unassigned the expiration time is cleared. If the authenticator is reassigned, a new expiration time can be allocated.