1

Closed

Feature request: not ask for MFA every time

description

Hi, it would be nice to have a possibility to not ask the user for multi-factor auth at every single log-in.

For example, a cookie can be set in user's browser for N days that allows him to skip MFA validation for these N days.
Registrations on other devices will require full MFA procedure to be done as usual.

Our users complain that it is too restrictive to require SMS/mail validation on every login, and we are OK with security weakening which can be introduced by this change.

Increasing session lifetime in ADFS is also an option, but it is even less secure and thus not desirable.
Closed May 15 at 9:42 AM by redhook

comments

redhook wrote May 5 at 3:23 PM

Hello kkorn,

The MFA process relies entirely on setting up your federation services, so the MFA is triggered according to the rules you have set. So as soon as there is authentication there is multi-factor (if applicable).
2 solutions:
  • Produce an MFA rule taking into account the "Last LogonTime" in ADDS (scripted in PowerShell) - the hard way!
  • enable "Keep me signed" ADFS feature.
Get-ADFSProperties

- look at these properties
KmsiEnabled
KmsiLifetimeMins

- Change de values
KmsiEnabled = True
KmsiLifetimeMins = 1440

- Apply changes with 
Set-ADFSProperties
If the user is "Keep Signed", no MFA occurs.

Regards

kkorn wrote May 6 at 4:59 AM

Thanks for the answer!
Will use "Kmsi" feature for now.

redhook wrote May 6 at 8:31 PM