Bypass MFA

Bypass MFA

Bypass MFA for users when they are within the corporate network or on a managed device. MFA is optional but strongly recommended for organizations. Under certain conditions, organizations may choose to bypass the default multi-factor authentication behavior. ‚ÄčAkamai‚Äč provides customers with configuration options that allow an administrator to bypass its MFA capabilities in the following circumstances:

  • When the user is accessing the application from a corporate network, using specific network zones.

  • When the user is using a managed device with a valid client certificate.

  • When the user is inside a corporate network, specified by network zones with a managed device that has a valid client certificate.

Use bypass MFA only if you understand the risks and agree to assume responsibility for them.

Bypass MFA only applies to MFA factors like SMS, Email, TOTP, and DUO.. Bypass MFA cannot be used with PCI DSS MFA.

The workflow is the following:

  1. If you've configured an MFA policy in Akamai identity provider (IdP), then also add one or multiple bypass MFA criteria in the IdP. By default, the bypass MFA criteria applies to all applications using this IdP.

  2. Use the identity provider as the authentication source for the application you want to bypass MFA. Assign the directory the user belongs to this identity provider.

  3. When the user accesses the application or the identity provider, and the bypass criteria are met, MFA is not prompted for the user. If any of the bypass MFA criteria is not met, the user is prompted for MFA.

ūüďė

You can disable the evaluation of bypass MFA criteria on an application basis, in which case MFA applies for the application.

Configure bypass MFA criteria for an ‚ÄčAkamai‚Äč identity provider

You can bypass the use of MFA for any ‚ÄčAkamai‚Äč identity provider, for different predefined criteria like when the user is within the corporate network or on a managed device or combinations of both. Then, the user is not prompted for the MFA.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select your identity provider for which you want to configure bypass MFA and click to open it.

  4. In Settings tab, scroll down to the MFA section.

  5. In the Bypass MFA criteria, click Add Criteria, to add criteria on when to not prompt the user for MFA.
    Enterprise Application Access supports up to two criteria, On Corporate Network and Device is managed. Select either or both of these criteria and configure accordingly.

  6. When you enable On Corporate Network as a bypass MFA criterion, select a network zone where MFA is bypassed when the user is in this zone. If the user is outside this network zone, MFA is enforced.

    • To configure a new network zone, select Add New Network Zone, provide a network zone name, add an IP/CIDR or a comma-separated list of IPs/CIDRs, select Add new Network Zone to the list upon created, and Save. Your newly configured network zone should be selected for bypass MFA criteria.

    • To use an existing network zone, select Manage Network Zones, select the network zone from the list, and click Save. Your existing network zone should be selected for bypass MFA criteria.

    • If you have the IPs/CIDRs as a .csv file on your machine, you can upload it using the import icon.

  7. In Device is managed select Certificate validation check if the device used by the user has a client certificate installed on the laptop that can be validated by a trusted root CA. To setup certificate validation, Configure.
    Settings opens.

  8. Configure mandatory Certificate Validation Settings in the IdP:

    1. Select Certificate validation.

    2. In Enforcement. Select one of these choices:

    • Required. The IdP requires the client to present a valid client certificate for authentication that has been issued by a trusted root CA and can be validated by the root CA. If no certificate is presented the user sees a 400 HTTP error in the browser.

    • Optional. It is optional for the client to present a valid client certificate for authentication that has been issued by a trusted root CA. If a valid client certificate is presented, the user logs in. Otherwise, form-based login is used as the fall-back mechanism.

    • Required off network, Disabled on network. You cannot use this option with bypass MFA criteria - Device is managed option. You get an error message.

  9. In CA certificate issuer select the Root CA that you want to use to validate the client certificate. You should have uploaded a certificate for EAA under Certificates > Certificates.

  10. In Certificate Identity Attribute select the attribute in the certificate that is used to identify the user.

  11. Enable Certificate identity is username for bypass MFA to work.
    It allows the username identity to be picked from the certificate.

    ūüďė

    Bypass MFA feature is not supported when "Certificate Identity is Username" is not selected and Device is Managed is the Bypass MFA criteria. User is prompted for MFA.

    ūüďė

    Bypass MFA feature is not supported when "Certificate Identity is Username" is not selected, and Device is Managed and On Corporate Network are together used as the Bypass MFA criteria. User is prompted for MFA.

    These additional Certificate Validation Settings in the IdP are optional:

    • Certificate validation method. None (Default). Can be left as default. If you select OCSP, the Select OCSP field appears. Create an OCSP and select it from the list.

    • Certificate onboard URL (optional). Users are redirected to this URL if no certificate is provided.

  12. Click Save.

  13. Deploy the identity provider.