Device criteria for MFA Authentication

Fer Ortiz · ‎04-05-2024

It is posible to configure an instance to avoid request a MFA Authentication if a user is logging in from now agent or now mobile application?

Currently we have activated a role criteria, but end users would like to avoid this behavior for now mobile apps.

I have readed about Adaptive authentication, but i could not find anything related to a device type criteria.

Thanks in advance

Randheer Singh · ‎04-16-2024

Hi @Fer Ortiz ,

Thanks for sharing the use case. Can you please share details about how these users are logging in?

In adaptive authentication, you can use identity provider attributes as filter criteria. Typically, IdPs can share attributes about the device used as part of the SAML response. Adaptive authentication allows you to read those attributes and apply security policies using those. So, if your users are logging in using SSO, you can leverage this in the MFA context policy. Here is the documentation.

If the users are not logging in using SSO, you can leverage the trusted mobile app filter criteria in the MFA context policy. The mobile app users have to undergo a one-time mobile app registration step.

Note: Due to a product defect, you must create a dummy pre-authentication policy (for example, all access from all IPs or from trusted mobile app) with trusted mobile app filter criteria to use the trusted mobile app filter with a policy associated with the MFA context.

Thanks,

Randheer