By default, the two-factor authentication time-to-live (TTL) value is 30 days: if you log on today using two-factor authentication, and if you mark your device as a trusted device, then for the next 30 days you won’t have to use two-factor authentication. Instead, any time you log on from that trusted device you’ll only need to supply your login credentials, no two-factor authentication required. And because 2FA uses a “rolling” clock when tracking the authentication TTL, as long as you log in or establish a Hosted Login session at any point in time during those 30 days you can bypass the two-factor process indefinitely: each time you login or rejoin an existing session the clock is reset and you get 30 days from that point in time.
Note. But what if you log on from a different (and untrusted device), e.g., from your cell phone or from a different web browser? In that case, you will need to go through the two-factor authentication (although, when you do that, you can mark this second device as a trusted device).
The default TTL value of 30 days may work perfectly well for your organization; if so, then you don’t have to do anything except leave well enough alone. For other organizations, however, the 30-day interval might be too long: you might prefer to limit this interval to a week or maybe a day. And that’s fine: you can manage the two-factor TTL value by using the authentication.second_factor.trust_device_ttl setting in your application client.
One thing we should clarify here is that, when you first enable two-factor authentication, your application client won’t include this setting (well, not unless you configure it at the same time you enable two-factor authentication). However, the 30-day time interval will still be enforced: if the authentication.second_factor.trust_device_ttl setting doesn’t exist then Hosted Login automatically uses the default TTL value of 30 days. You only have to add the authentication.second_factor.trust_device_ttl setting if you want to set the TTL to something other than 30 days.
Note. You’ve probably already figured this out for yourselves, but this also means that deleting the setting doesn’t disable two-factor authentication; deleting the setting merely resets the TTL value to 30 days. If you want to disable two-factor authentication, set the authentication.second_factorapplication client setting to false.
You can manage the two-factor authentication TTL interval by using either Console or the Identity Cloud Configuration APIs. To add, and to modify, the authentication.second_factor.trust_device_ttl setting in Console, complete the following procedure:
- From anywhere in Console, click Manage Properties.
- On the Manage Properties page, click the Actions icon located to the left of your application client and then click Edit:
- On the Edit page for your application client, scroll to the bottom of the page and then click Edit Settings:
- On the Edit Settings page, click the Add Setting button:
- In the Select setting key field, type authentication.second_factor.trust_device_ttl and then click Create authentication.second_factor.trust_device_ttl:
- In the Value field, type the TTL interval, in seconds. For example, to set the TTL value to 1 week, type 604800 (7 days x 24 hours in a day x 60 minutes in an hour x 60 seconds in a minute = 604800 seconds):
- Click Save Changes:
Because you configure authentication.second_factor.trust_device_ttl on the application client this enables you to use different TTL values for different sets of users. For example, users who employ OIDC client 64430515-01ea-4f5d-82e4-c36161af0093 when making an authorization request could have a two-factor TTL of 7 days; meanwhile, users who employ OIDC client 27cd2052-340d-4732-8754-30be1c100866 might have a TTL value of 21 days. It depends on which value you assign to which application client.
But what if you want all your OIDC clients to use the same TTL value? In that case, you can configure authentication.second_factor.trust_device_ttl at the application scope. If you do that, all your application clients automatically inherit the setting and its value.
As noted. your trusted device TTL value must be configured in seconds; allowed values range from 0 (which forces users to employ two-factor authentication each time they log on) to -- well, effectively there's no limit to the time-to-live lifetime. That said, however, keep in mind that Hosted Login sessions expire after 30 days of inactivity. That means that, even if you set the device TTL to, say, 1,000 days, the Hosted Login session could expire long before those 1,000 days are up. If that happens, if the Hosted Login session does expire, then users will need to login again (and go through two-factor authentication again) regardless of the value assigned to the authentication.second_factor.trust_device_ttl setting.