Is there any way to only require MFA on initial login for a session? Due to other security requirements my organization has to automatically lock sessions after 30 minutes, and entering your credentials again to resume the session triggers another MFA event. I can imagine other office-mates complaining about this… and want to reduce people’s general dislike of the IT group as much as possible
There are a bunch of clever ways we’ve seen customers accomplish this, so I’m definitely interested in what others have to say on the matter, but two of our most popular solutions that reduce end-user friction while maintaining your security posture are Authorized Networks and Remembered Devices.
Not all applications support these features, so we keep a running list of which applications do in our Knowledge Base here: https://help.duo.com/s/article/2155.
You should also consider using our Policy Engine to prompt (or not prompt) users via more granular combinations of policies depending on the sensitivity of the applications and user groups you’re protecting.
I’ve linked the configuration documentation inline above, but I also strongly recommend reading our Policy Guide to get a better understanding of how the engine works and to see some example implementations: https://duo.com/assets/pdf/Duo-Policy-Guide.pdf.
Based on the information you provided, it looks like it doesn’t support what I’m looking to accomplish unfortunately. We need to use MFA for Windows Logon on our Domain, so I can’t use remembered devices. We also don’t want to totally skip authorization for certain devices or people, because it’s a requirement for them to use MFA when they logon. If there isn’t a feature request in already, it would be nice if I could add this as a potential feature for a future release.
We’re interested in this exact functionality. When we did our testing, this was the first feedback we got: 2FA on Windows is great, but gets really annoying really quick when it applies to every time you lock your screen.