New features and enhancements

Akamai is introducing a new, simplified method for configuring firewall rules to access the Akamai MFA service. If you currently use the CIDR block list to apply firewall rules on restricted clients for mfa.akamai.com, you must migrate these clients to static.mfa.akamai.com by October 31, 2025 to ensure uninterrupted service. After this date, mfa.akamai.com will begin serving content using dynamic IP addresses across Akamai's global network.

The new static.mfa.akamai.com hostname is served by a small, permanent list of static IP addresses. This hostname uses Edge IP Binding (EIPB) to leverage Akamai’s global network for enhanced performance and reliability.

If your organization restricts outbound connections, add firewall rules to allow outbound connections on TCP port 443 for the following static IP addresses.

IPv4 addresses for static.mfa.akamai.com:
```
23.11.42.61
23.11.43.61
23.11.38.62
23.11.39.62
23.11.40.61
23.11.41.61
23.11.32.63
23.11.33.63
23.11.36.61
23.11.37.61
23.11.34.62
23.11.35.62
```
IPv6 addresses for static.mfa.akamai.com:
```
2600:14e1:28:26::/64
2600:14e1:2c:26::/64
2600:14e1:18:27::/64
2600:14e1:1c:27::/64
2600:14e1:20:26::/64
2600:14e1:24:26::/64
2600:14e1:0:26::/64
2600:14e1:4:26::/64
2600:14e1:10:26::/64
2600:14e1:14:26::/64
2600:14e1:8:26::/64
2600:14e1:c:26::/64
```
After clients have been migrated to static.mfa.akamai.com you can safely remove the old firewall rules from the CIDR block list because these CIDR block restrictions will be removed from mfa.akamai.com after October 31, 2025.
The Remembered Devices policy is now expanded to support browser-based authentication. Previously limited to the Windows Logon integration, this policy now lets users mark their web browser as trusted and skip subsequent multi-factor authentication.
- When the Remembered Devices policy is active, users will see a Remember me option in the authentication prompt, which lets them skip multi-factor authentication for a period of time you set in the policy.