Requiring 2FA Each Time a User Logs On (Running time: 3:01)
Some organizations prefer that two-factor authentication kick in each time a user logs on. To require two-factor authentication with each login, all you have to do is set the value of the authentication.second_factor.trust_device_ttl setting to 0:
This sets the time-to-live value for two-factor authentication to 0 seconds; that means that your two-factor authentication session expires immediately. In turn, that means that you’ll always have to use two-factor authentication when you log on.
Keep in mind that, if you set authentication.second_factor.trust_device_ttl to 0, Hosted Login doesn’t care whether or not you have previously configured your device as a trusted device: you’ll always be required to use two-factor authentication. In fact, if you set authentication.second_factor.trust_device_ttlto 0 the trusted devices checkbox no longer appears on the authRule_secondFactorLoginCode screen:
Why not? That’s right: because, with authentication.second_factor.trust_device_ttl to 0 trusted devices are now treated exactly the same as untrusted devices.
But here’s an interesting scenario:
- The first time you log on to a website, you configure your computer as a trusted device.
- The next time you log on to that website, you supply your login credentials and then, because you’re using a trusted device, you’re able to bypass two-factor authentication.
- At about that same time, your administrator updates the application client you use when logging on, setting authentication.second_factor.trust_device_ttl to 0.
- The next time you log on, you’re required to use two-factor authentication.
- Your administrator then decides to switch gears, and resets authentication.second_factor.trust_device_ttl back to the default value of 30 days (2,592,000seconds).
- The next time you log on to that website, you supply your login credentials but are able to bypass two-factor authentication. That’s because Hosted Login “remembered” that yours was a trusted device and, as long as you’re still within the new two-factor TTL interval, you’re allowed to login without going through two-factor authentication.