Users are unable to trust a device

Question

We'd like to give users the chance to trust their devices, but they never see the Trust this device for future logins checkbox. And isn't that the only way a user can trust a device?

Answer

First of all, you’re absolutely right: the only way you can trust a device is by checking the Trust this device for future logins checkbox, a checkbox which appears on the same screen where users enter their 2FA access code. From the sounds of it, however, it seems as though your access code screens don’t have this checkbox:

So how do you make the Trust this device for future logins checkbox appear on your screens?

To answer that question, let’s start by explaining why you aren’t seeing this checkbox. For our purposes, the presence (or absence) Trust this device for future logins checkbox is dictated by the application client setting authentication.second_factor.trust_device_ttl. If this setting appears in your application client, and if it’s set to anything other than 0, then you’ll see the checkbox in question. And if you don’t see the checkbox that can only mean one thing: you’ve set authentication.second_factor.trust_device_ttl to 0.

In turn, deleting the authentication.second_factor.trust_device_ttl setting, or setting it to anything except 0, will cause the checkbox to appear:

So is that it? You delete (or change the value of) the authentication.second_factor.trust_device_ttl setting, the checkbox shows up, and there are no additional ramifications or repercussions?

Well, we didn’t exactly say that. Remember, the only reason to set authentication.second_factor.trust_device_ttl to 0 is to ensure that your users have to go through two-factor authentication each time they log on. If you remove this setting (or change its value) that:

  1. Displays the Trust this device for future logins checkbox.
  2. Gives users the opportunity to, well, trust their devices.
  3. By trusting their devices, gives users the opportunity to bypass 2FA. (For how long? That depends on the value you assign to the authentication.second_factor.trust_device_ttl. value.)

Most likely you’re not only aware of this, but you’re perfectly fine with users being able to bypass 2FA for a set period of time. Still, we felt it was important that we reiterate that. Trusted devices provide a way for users to bypass 2FA. If you don’t want users to bypass 2FA (that is, you want them to use two-factor authentication each time they log on) then you shouldn’t let users trust their devices; that simply wouldn’t make any sense.

📘

Isn’t there a compromise position here? Sure: just set authentication.second_factor.trust_device_ttl to a relatively small value. For example, by default authentication.second_factor.trust_device_ttl is set to 30 days (2592000); that means users can bypass 2FA for 30 days. As a compromise, maybe set authentication.second_factor.trust_device_ttl setting to 5 days (432000 seconds). That way users can trust their devices and bypass 2FA, but only for 5 days at a time.