Require 2FA on every login

Requiring 2FA Each Time a User Logs On


Some organizations prefer that two-factor authentication kick in each time a user logs on. To require two-factor authentication with each login, all you have to do is set the  value of the authentication.second_factor.trust_device_ttl setting to 0

This sets the time-to-live value for two-factor authentication to 0 seconds; that means that your two-factor authentication session expires immediately. In turn, that means that you always have to use two-factor authentication when you log on. 

Keep in mind that, if you set authentication.second_factor.trust_device_ttl to 0, Hosted Login doesn’t care whether or not you have previously configured your device as a trusted device: you’ll always be required to use two-factor authentication. In fact, if you set authentication.second_factor.trust_device_ttl to 0 the trusted devices checkbox no longer appears on the authRule_secondFactorLoginCode screen:

Why not? That’s right: because, with authentication.second_factor.trust_device_ttl to 0 trusted devices are now treated exactly the same as untrusted devices.

But here's a bit of good news for trusted device users. Consider this scenario:

  1. The first time you log on to a website, you configure your computer as a trusted device.

  2. The next time you log on to that website, you supply your login credentials and then, because you’re using a trusted device, you’re able to bypass two-factor authentication.

  3. At about that same time, your administrator updates the application client you use when logging on, setting authentication.second_factor.trust_device_ttl to 0.

  4. The next time you log on, you’re required to use two-factor authentication.

  5. Your administrator then decides to switch gears, and resets authentication.second_factor.trust_device_ttl back to the default value of 30 days (2,592,000 seconds).

The next time you log on to that website, you supply your login credentials but are able to bypass two-factor authentication. That’s because Hosted Login “remembered” that yours was a trusted device and, as long as you’re still within the new two-factor TTL interval, you’re allowed to login without going through two-factor authentication.