The Remembered Devices Policy enhances user experience by allowing devices to be remembered for a specified period. This policy reduces the frequency of MFA prompts for known devices, streamlining the login process while maintaining security.
The Remembered Devices Policy minimizes MFA fatigue, balancing security and usability.
Use Case: Daily MFA Prompt for Same Device
Scenario
Require users to perform MFA only once per day on the same computer.
Challenge
Maintaining security while minimizing the number of MFA prompts users have to go through.
Solution
Implement a Remembered Devices Policy that requires users to perform MFA only once per day on the same device.
Benefits
- User Convenience: Reduces the number of MFA prompts users encounter.
- Maintained Security: Ensures that MFA is still performed regularly to protect against unauthorized access.
- Efficiency: Streamlines the login process, saving time for users.
Step-by-Step Configuration Guide: Global Configuration
The following is how to enforce the described policy globally for all users and applications. Keep in mind that this configuration will apply to every user group and every application by default unless explicitly overridden by a custom policy.
1. Sign in to the Rublon Admin Console.
2. In the Policies tab, click Edit Global Policy, set Remember a device for to one day in the Remembered Devices section, and click Save to save the changes to the Global Policy.
3. From now on, users will be able to remember their devices for one day while logging in to any application unless the Global Policy for that application was explicitly overridden by a Custom Policy.
Step-by-Step Configuration Guide: Custom Configuration
The following is how to enforce the described policy only for some users and only for some applications. Note that while this configuration requires more work from an administrator, it also allows for a more controlled and granular enforcement of the policy across the organization.
1. Sign in to the Rublon Admin Console.
2. In the Groups tab, create a Daily MFA Users user group. (See: How to add group)
3. In the Users tab, add the users to the Daily MFA Users group. (See: How to add users to group)
4. In the Policies tab, create a new Custom Policy called MFA Once a Day where you set Remember a device for to one day in the Remembered Devices section, and click Save to save the changes to the Custom Policy. (See: How to create new policy and Remembered Devices)
5. In the Applications tab, assign the MFA Once a Day policy to the Daily MFA Users group in one or more applications. (See: How to assign Group Policies to groups within application)
6. From now on, all users in the Daily MFA Users group will have the ability to remember their devices for one day, provided that the MFA Once a Day policy is assigned as a Group Policy to the application they log in to.
Use Case 2: Disable Remembered Devices for IT Admins
Scenario
Enforce the highest security standards by disabling the Remembered Devices Policy for IT administrators while allowing other users to still benefit from this policy.
Challenge
Ensuring that IT admins always go through MFA for each login attempt, thereby reducing the risk of unauthorized access, while maintaining a seamless experience for regular users.
Solution
Implement a policy that disables Remembered Devices for IT admins, requiring them to authenticate with MFA every time they log in.
Benefits
- Enhanced Security for IT Admins: Ensures that IT admins undergo MFA for every login, minimizing security risks.
- User Convenience for Others: Regular users still benefit from the Remembered Devices Policy, reducing the number of MFA prompts they encounter.
- Tailored Security Measures: Allows for differentiated security policies based on user groups.
Step-by-Step Configuration Guide
Refer to Group Policies – Disable Remembered Devices for IT Admins for detailed instructions on how to configure the policy in the described scenario.
