What Happens When You Trust a Device? (Running time: 2:52)
Two-factor authentication always involves a tradeoff. On the one hand, the second authentication factor provides an additional measure of security, making it even more likely that the user who just logged on really isthe person they claim to be. On the other hand, two-factor authentication can affect the user experience, and user satisfaction. Maybe users logging on to their bank or their healthcare provider don’t mind jumping through a two-factor hoop; however, that might not be the case for users who simply want to read the news or listen to music. When it comes to two-factor authentication, one size doesn’t necessarily fit all.
To give organizations more flexibility when it comes to two-factor authentication, Hosted Login supports the notion of “trusted devices.” If trusted devices are enabled then, when a user first logs on to a website, he or she has the option of marking their device/web browser as a “trusted device.” That means that, by default, the user can log on to the website for the next 30 days without having to go through the two-factor process; instead, they simply supply their user credentials and log on. Furthermore, the amount of time that users can go without having to provide a two-factor access code (known as the “time-to-live” interval) is customizable. Is 30 days too long a timespan? Fine; make it shorter. Is skipping even one instance of two-factor authentication unacceptable? Fine; you can configure Hosted Login to require two-factor authentication any time a user logs on. It’s entirely up to you.
This documentation examines trusted devices in detail, covering the following topics:
- The "Trust this device for future logins" Checkbox
- What's the "Device" Part of a Trusted Device?
- How Can a User "Untrust" a Device?
- Modifying the Trusted Device Time-to-Live Value
- Requiring Two-Factor Authentication on Each Login
- Appendix A: When, Exactly, is Two-Factor Authentication Required?