Requiring Two-Factor Authentication on Each Login

Some organizations prefer that two-factor authentication kick in each time a user logs on. To require two-factor authentication with each login, all you have to do is set the  value of the authentication.second_factor.trust_device_ttl setting to 0: 

VIDEO
Requiring 2FA Each Time a 
User Logs On

This sets the time-to-live value for two-factor authentication to 0 seconds; that means that your two-factor authentication session expires immediately. In turn, that means that you’ll always have to use two-factor authentication when you log on. 

Keep in mind that, if you set authentication.second_factor.trust_device_ttl to 0, Hosted Login doesn’t care whether or not you have previously configured your device as a trusted device: you’ll always be required to use two-factor authentication. In fact, if you set authentication.second_factor.trust_device_ttlto 0 the trusted devices checkbox no longer appears on the authRule_secondFactorLoginCode screen:

Why not? That’s right: because, with authentication.second_factor.trust_device_ttl to 0 trusted devices are now treated exactly the same as untrusted devices.

But here’s an interesting scenario:

1. The first time you log on to a website, you configure your computer as a trusted device.
2. The next time you log on to that website, you supply your login credentials and then, because you’re using a trusted device, you’re able to bypass two-factor authentication.
3. At about that same time, your administrator updates the application client you use when logging on, setting authentication.second_factor.trust_device_ttl to 0.
4. The next time you log on, you’re required to use two-factor authentication.
5. Your administrator then decides to switch gears, and resets authentication.second_factor.trust_device_ttl back to the default value of 30 days (2,592,000seconds).
6. The next time you log on to that website, you supply your login credentials but are able to bypass two-factor authentication. That’s because Hosted Login “remembered” that yours was a trusted device and, as long as you’re still within the new two-factor TTL interval, you’re allowed to login without going through two-factor authentication.

See Also

• An Introduction to Trusted Devices
• The "Trust this device for future logins" Checkbox
• What's the "Device" Part of a Trusted Device?
• How Can a User "Untrust" a Device?
• Modifying the Trusted Device Time-to-Live Value
• Appendix A: When, Exactly, is Two-Factor Authentication Required?