Prevent users from trusting their devices

Question

We'd prefer that users not be abled to trust their devices. But how do we hide the Trust this device for future logins checkbox that shows up on the two-factor authentication screens?

Answer

There’s only one way to hide the Trust this device for future logins checkbox: set the value of the authentication.second_factor.trust_device_ttl setting to 0. When you do that, two things happen. First, the Trust this device for future logins checkbox is removed from the access code screen:

In turn, no checkbox means that users will no longer be able to trust their devices.

However, this also means that users will be required to go through two-factor authentication process time they log on. That, depending on how you want to look at it, is the downside of setting authentication.second_factor.trust_device_ttl to 0.

But wait, you might ask, isn’t there a way to hide the checkbox without making users go through the 2FA process each time they log on? The answer to that is simple: no. And the reason for that is equally simple. Your ability to bypass 2FA is based on having a trusted device: depending on how you configure things, a user could forego two-factor authentication for 30 days as long as they’re logging on from a trusted device. If you’re logging on from an untrusted device then you’ll always have to go through 2FA. Without the checkbox there’s no way for a user to trust a device which means that, by extension, users will always be logging on from an untrusted devices. And logging on from an untrusted device means going through 2FA.

📘

Before you ask, no, an administrator can’t configure a trusted device for a user. A trusted device consists of a specific piece of hardware, a specific web browser, a specific user, and a cookie which is written to that web browser. That’s not something an administrator can configure.