Why Aren't My Users Undergoing 2FA Anymore?

ImportantIdentity Cloud's 2FA feature is currently in Limited Availability. Please contact your Akamai representative as usage of 2FA features must be approved during Limited Availability.

Assuming that you haven’t disabled 2FA altogether, this is probably an artifact of Hosted Login’s support for trusted devices. With trusted devices, a user logs on the first time and is required to go through the 2FA process. As part of that process, however, the user can mark their device as a “trusted device.” That means that, for a specified period of time (and under certain conditions) the user is exempt from two-factor authentication: after they log on they’re given an access token and are allowed to bypass the 2FA process. By default, users can go 30 days without having to deal with 2FA; that means they can go quite awhile (like, say, 30 days) without ever being prompted to enter a 2FA access code. (Again, assuming that they are logging on from a trusted device.)

The bottom line? It’s not unusual for users to go through 2FA the first time they log on, then be able to bypass 2FA for weeks at a time.

You say you’re not sure you like that? That’s fine: by adding theauthentication.second_factor.trust_device_ttl setting to your application client you can change the 30-day exemption period to something shorter; in fact, by setting authentication.second_factor.trust_device_ttl to 0 you can require users to use 2FA each and every time they log on. See this article for details.

More Troubleshooting Questions