Users are unable to trust a device
Question
We'd like to give users the chance to trust their devices, but they never see the Trust this device for future logins checkbox. And isn't that the only way a user can trust a device?
Answer
First of all, youβre absolutely right: the only way you can trust a device is by checking the Trust this device for future logins checkbox, a checkbox which appears on the same screen where users enter their 2FA access code. From the sounds of it, however, it seems as though your access code screens donβt have this checkbox:
So how do you make the Trust this device for future logins checkbox appear on your screens?
To answer that question, letβs start by explaining why you arenβt seeing this checkbox. For our purposes, the presence (or absence) Trust this device for future logins checkbox is dictated by the application client setting authentication.second_factor.trust_device_ttl. If this setting appears in your application client, and if itβs set to anything other than 0, then youβll see the checkbox in question. And if you donβt see the checkbox that can only mean one thing: youβve set authentication.second_factor.trust_device_ttl to 0.
In turn, deleting the authentication.second_factor.trust_device_ttl setting, or setting it to anything except 0, will cause the checkbox to appear:
So is that it? You delete (or change the value of) the authentication.second_factor.trust_device_ttl setting, the checkbox shows up, and there are no additional ramifications or repercussions?
Well, we didnβt exactly say that. Remember, the only reason to set authentication.second_factor.trust_device_ttl to 0 is to ensure that your users have to go through two-factor authentication each time they log on. If you remove this setting (or change its value) that:
- Displays the Trust this device for future logins checkbox.
- Gives users the opportunity to, well, trust their devices.
- By trusting their devices, gives users the opportunity to bypass 2FA. (For how long? That depends on the value you assign to the authentication.second_factor.trust_device_ttl. value.)
Most likely youβre not only aware of this, but youβre perfectly fine with users being able to bypass 2FA for a set period of time. Still, we felt it was important that we reiterate that. Trusted devices provide a way for users to bypass 2FA. If you donβt want users to bypass 2FA (that is, you want them to use two-factor authentication each time they log on) then you shouldnβt let users trust their devices; that simply wouldnβt make any sense.
Isnβt there a compromise position here? Sure: just set authentication.second_factor.trust_device_ttl to a relatively small value. For example, by default authentication.second_factor.trust_device_ttl is set to 30 days (2592000); that means users can bypass 2FA for 30 days. As a compromise, maybe set authentication.second_factor.trust_device_ttl setting to 5 days (432000 seconds). That way users can trust their devices and bypass 2FA, but only for 5 days at a time.
Updated over 1 year ago