Device authentication

Device authentication is an MFA method that allows users to register their devices’ browsers as "trusted" browsers. Trusted devices can be exempted from the second factor authentication step. Device authentication provides the perfect balance between security (only trusted devices can skip the second factor authentication step) and usability (users need to do second factor authentication less often).

Because the device authentication feature uses cookies to mark devices as trusted, we sometimes call it cookie-based authentication.

It is important to note that the device authentication method differs from the other methods in two ways:

As an extension to other MFA methods to skip doing MFA for N days

To offer the ability to skip doing MFA for N days on an MFA method, you can set a non-zero value in the The number of days that users can skip the second factor setting found on the MFA connection:

skip-mfa-settings

Note that if you set the setting to zero, Identify will not offer your users the option to skip MFA.

In the above example, when your users are asked to do TOTP authentication, they will also have the option to skip it for the next 10 days. Please note that the option does not appear when users are doing registration. This new feature works for all other MFA methods as well.

skip-mfa

As an MFA method

The Device authentication feature can also work as a standalone MFA method similar to other methods. You can select and add the Device method on an OTP connection:

device-authentication-mfa-method

The way it works is that after a user passes the primary authentication, he or she is asked to register the device as a trusted device:

register-device

By clicking on the Register device button, Identify will register the device - the browser's fingerprint and related user information. As a result, the user will not need to do second factor authentication at the next time he or she logs in.

Device authentication registration also provides the user a recovery code. The user can use it to log in on another browser/device or register an additional device:

device-authentication-additional-device

For the sake of security, it is recommended that device registration must be used in conjunction with conditional access. For example, users must do registration from trusted IPs such as intranet. Note that after registration is done, users can log in from the internet.

Administrator note: you can reset a user's device authentication registration on the user editing page. Right now, users cannot reset their own trusted devices from the My profile page (they do not have access to the page anyway):

device-authentication-reset

Customized views

From version 5.11, all Razor views and hosted forms of TOTP Authenticator, WebAuthn, OS2faktor, and Email/SMS methods have a new checkbox and text to support this new feature. If you upgrade from a previous option and have customized one of those views, you will have to update your customized views.

The Hosted forms feature has support for the new Device registration page. You can customize it either using Hosted forms or its Razor view.

Private browser

Device authentication (both as an extension of other MFA methods and as a standalone MFA method) is a cookie-based authentication. It will not work in private browser/Incognito mode.