RyanW.94985 (Customer) asked a question.
I have an MFA email factor set up in our environment. The factor is assigned to a specific group which also has a sign on policy assigned to it. The sign in policy has a rule for enforcing the MFA. Within this rule, I have it set up to prompt for the email factor per session. For testing purposes, I set the factor lifetime to 4 minutes. The session, I set to 2 hours. When I use Postman to test this set up, I am able to log in with a device token in the context object the first time and can proceed from MFA_Required to MFA_Challenge using the session token. During the challenge phase, I set the query string parameter "rememberDevice" to false. This should avoid remembering the device, but the actual behavior is different. The next auth attempt goes through as a success and not MFA_Required.
What am I doing wrong?
I'm having somewhat of the opposite problem ( `rememberDevice=true` is not being respected) so curious to see any sort of feedback/information on this topic.
Danny, are you sending the device token via the context object during the authentication step?
When I attempted via Postman I did not -- so I didn't expect it to work. But when I attempted it via the sign-on widget there is a device token. Interestingly enough though the call gets sent with rememberDevice=false even though in the UI I checked the box.
I'll try using Postman -- might be an issue with the widget.
Hmmm, in looking again it's the DeviceFingerprint that the widget sent. Misread that. So looks like the widget is not sending a deviceToken (or it's not indicated in the logs).
Yeah... widget aside, for whatever reason I continue to get MFA_Required where I am expecting Success (opposite of your issue). Odd.
That is strange. Is the body of your auth request (when using postman) similar to this:
{
"username": "email@notreal.com",
"password": "P@ssW0rd1!",
"context": {
"deviceToken": "7bb13753c9064a80872f6a6b336dddkd"
}
}
Are you also using the seemingly undocumented Email Factor?
Perhaps your sign on policy rules differ from mine. I am uncertain of how the Okta interface determines some of these items, specifically allowRememberDevice and the rememberDeviceByDefault. The latter is expressly perplexing because the checkbox for that only appears when per device is used and not when per session is used. To add to the perplexity, sometimes rememberDeviceByDefault switches from false to true...then I clear out the factors for a user and it returns to false. All of this while using per session.
"policy": {
"allowRememberDevice": true,
"rememberDeviceLifetimeInMinutes": 15,
"rememberDeviceByDefault": false,
"factorsPolicyInfo": {}
}
I like how you phrased that — the “seemingly undocumented Email Factor.” 😂 I am indeed. It functions the same as the SMS.
My request is the same but without the password. I’m using 100% factor sequencing alone. Perhaps that’s my issue, in which case our troubles, although similar, are probably not the same.
Hi Ryan, are you able to fix it? I'm having exact the same problem.
Thanks.
Hi Ryan, I am not able set rememberDeviceLifetimeInMinutes from policy. How did you set this to 15