Using Duo to prompt for MFA every day/week

robnicholson · ‎08-17-2022

Our Windows laptops connected to Azure Active Directory use 2FA but you are only prompted to use it when logging onto a new device. They do lock after 5 minutes idle requiring the PIN/fingerprint to be used. This process seems to fulfil the requirements for 2FA so you’re not prompted again.

However, we’ve told by our Cyber insurance vendor that this will no longer be acceptable and that they will insist that the 2FA process is gone through periodically - possibly each day. Our users are going to hate us!

M365/Azure AD doesn’t appear to allow this seemingly simple request so is it something Duo could do? Basically, force the users to use 2FA every 24 hours when they unlock the laptop?

ldubravec · ‎08-18-2022

Hi @robnicholson, thanks for your question!

Duo allows you to employ a Remembered Devices policy to reduce authentication friction. You can read more about how Remembered Devices work in this help article .

This feature is similar to the “remember me” checkbox most users are familiar with. When the remembered devices feature is enabled, users are offered a “Don’t prompt me again on this device” checkbox during login. When users check this box, they will not be challenged for secondary authentication when they log in again from that device for a set period of time that you determine as the admin.

You also have the option to enable remembered devices Per each application or For all protected web applications.

Hope this helps!

ldubravec · ‎08-19-2022

If you are looking to increase the amount of times users authenticate, Azure’s Authentication Session Management feature allows you control over how many times users are prompted to authenticate. You can learn more about how to use this feature with Duo MFA in this help article.