Appendix: When, Exactly, is Two-Factor Authentication Required?

ImportantIdentity Cloud's 2FA feature is currently in Limited Availability. Please contact your Akamai representative as usage of 2FA features must be approved during Limited Availability.


For the most part, two-factor authentication – and trusted devices – is pretty straightforward: log on with an untrusted device and you need to go through the 2FA process. Log on with a trusted device and you don’tneed to go through the 2FA process.

That’s a generally true statement but, in reality, the process can be a little more complicated (as we’ve already seen, if you set authentication.second_factor.trust_device_ttl to 0 you’ll always need to go through two-factor authentication, regardless of whether or not your device is trusted). Each time a user logs on a number of factors come into play:


  • Is 2FA embanked?
  • Is authentication.second_factor.trust_device_ttl set to 0?
  • If authentication.second_factor.trust_device_ttlisn’t set to 0, then has the TTL interval expired?
  • Is the user rejoining an existing Hosted Login session or creating a new session?
  • Was the prompt parameter used in the authorization request and, if so, what’s the value assigned to that parameter?

To help you sort through these possibilities, the following appendix walks through different scenarios (e.g., two-factor authentication is enabled, the user is logging on from an untrusted device, and the two-factor TTL value has not been set) and describes the login experience based on:


  • The value of the authorization request’s prompt parameter.
  • Whether or not a valid Hosted Login session is running.



Scenario 1


Two-Factor Authentication Enabled: No

Device is Trusted: N/A

authentication.second.factor.trust_device_ttl Value: N/A


This scenario is pretty straightforward: if you haven’t enabled two-factor authentication then your users will never have to deal with two-factor authentication.


Authorization request prompt Parameter


Current authentication  session is valid

Result


Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.

login

Yes

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

none

Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.


No

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

none

No

  1. Error: No authenticated session found.




Scenario 2


Two-Factor Authentication Enabled: Yes

Device is Trusted: No

authentication.second.factor.trust_device_ttl Value: Not present in the application client


Another fairly simple one: if the user sees a login screen then they’ll also have to go through the two-factor authentication process. That’s because they’re not logging in from a trusted device.


Authorization request prompt Parameter


Current authentication session is valid

Result


Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.

login

Yes

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.


No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

No

  1. Error: No authenticated session found.




Scenario 3


Two-Factor Authentication Enabled: Yes

Device is Trusted: No

authentication.second.factor.trust_device_ttl Value: TTL session has not expired


Similar to Scenario 2: any time the user sees a login screen they’ll be required to use two-factor authentication. 


Authorization request prompt Parameter


Current authentication session is valid

Result


Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.

login

Yes

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.


No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

No

  1. Error: No authenticated session found.




Scenario 4


Two-Factor Authentication Enabled: Yes

Device is Trusted: No

authentication.second.factor.trust_device_ttl Value: 0


Another scenario where the user is required to use two-factor authentication any time they see a login screen. Because authentication.second.factor.trust_device_ttl is set to 0, that means that two-factor authentication is required even if the user happened to be logging on from a trusted device.


Authorization request prompt Parameter


Current authentication session is valid

Result


Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.

login

Yes

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.


No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required

none

No

  1. Error: No authenticated session found.




Scenario 5


Two-Factor Authentication Enabled: Yes

Device is Trusted: No

authentication.second.factor.trust_device_ttl Value: TTL session has expired


Yet another straightforward scenario: if you see a login screen you’ll need to use two-factor authentication.


Authorization request prompt Parameter


Current authentication session is valid

Result


Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.

login

Yes

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.


No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

No

  1. Error: No authenticated session found.




Scenario 6


Two-Factor Authentication Enabled: Yes

Device is Trusted: Yes

authentication.second.factor.trust_device_ttl Value: Not present in the application client


Because the device is trusted, two-factor authentication is not required (at least not for 30 days, the default time-to-live value). Just to be clear, users will have to use two-factor authentication on their initial login; after all, that’s how they configure a trusted device.


Authorization request prompt Parameter


Current authentication session is valid

Result


Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.

login

Yes

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

none

Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.


No

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

none

No

  1. Error: No authenticated session found.




Scenario 7


Two-Factor Authentication Enabled: Yes

Device is Trusted: Yes

authentication.second.factor.trust_device_ttl Value: TTL session is valid


After the initial login, and after the device is trusted, two-factor authentication isn’t required (at least not until the TTL session has expired).


Authorization request prompt Parameter


Current authentication session is valid

Result


Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.

login

Yes

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

none

Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.


No

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. No two-factor authentication is required.

none

No

  1. Error: No authenticated session found.




Scenario 8


Two-Factor Authentication Enabled: Yes

Device is Trusted: Yes

authentication.second.factor.trust_device_ttl Value: 0


If you see a login screen you’ll have to use two-factor authentication even though you’re logging on from a trusted device.


Authorization request prompt Parameter


Current authentication session is valid

Result


Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.

login

Yes

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

Yes

  1. User is automatically logged on. 
  2. No two-factor authentication is required.


No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

No

  1. Error: No authenticated session found.




Scenario 9


Two-Factor Authentication Enabled: Yes

Device is Trusted: Yes

authentication.second.factor.trust_device_ttl Value: TTL session has expired


Authorization request prompt Parameter


Current authentication session is valid

Result


Yes

  1. User is not presented with the login screen. 
  2. Two-factor authentication is required.

login

Yes

  1. User is presented with the login screen.
  2. Two-factor authentication is required.

none

Yes

  1. Error: Authorization rule 'authentication.second_factor' failed. 


No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

login

No

  1. User is presented with the login screen. 
  2. Two-factor authentication is required.

none

No

  1. Error: No authenticated session found.


See Also