Subscribe to PortalGuard's Quarterly Newsletter for News & Updates on the Latest Release! Click to Subscribe

How to Configure "Remember Me" Functionality for Two-Factor Authentication


Problem

Two-Factor Authentication (2FA) is too exacting for end-users, and you want to suppress the OTP prompt where possible to make authentication simpler after successful 2FA, without removing the requirement completely. 

Solution

Use PortalGuard's "Remember Me" feature to reduce the amount of 2FA prompts presented to the end-user. "Remember" me functions by using an HTTP cookie to identify the device/browser being utilized by the end-user. This feature retains security by forcing the end user to mark the device as trusted AFTER successfully validating 2FA.  In subsequent authentication requests, the user is still prompted for username and password.  

Important Note: Users will still be forced to do full 2FA  if they are using an Incognito/InPrivate window OR if they clear the cookies from the browser. 

If Using PortalGuard v6.X or Later: Please note that the "Remember Me" functionality DOES NOT satisfy App-Specific 2FA.  Users will still be required to perform full 2FA when accessing an app that is marked to require 2FA, even if the current browser is marked as a valid, remembered browser. 

  1. Navigate to the PortalGuard server and open the PortalGuard Configuration Editor.
  2. Navigate to the Security Policies tab.
  3. Click on the Security Policy you wish to edit in order to highlight it.  Double click or click on the 'Edit' button to modify.
  4. Navigate to the Actionstab and then select the Login sub-tab.
  5. For 2FA, you will need to ensure that the 'PortalGuard Website Login' is either set to 'Two-factor (2FA)', or 'Password only' with the 'Allow End-user 2FA Opt-in?' option enabled. 
    • If neither of these cases are true, you will not be able to proceed with enabling the "Remember Me" functionality.
  6. With the 'PortalGuard Website Login' configured correctly, navigate to the Remember Browser sub-tab:
    • PortalGuard Security Policy - Remember Me 2FA
  7. Check the box labeled 'Allow Users to Remember Browsers?' to enable the "Remember Me" functionality within PortalGuard.
  8. The 'Expiration Period' should be set to the number of days a browser can be remembered for before prompting the user for 2FA once again.
  9. The 'Saved Browser Limit' value represents how many browsers can be 'remembered' for a given user.  After the limit has been reached, the oldest remembered browser will be forgotten the next time a user clicks the 'Remember Me' checkbox. 
  10. Click the 'Save' button to keep the changes.
  11. On the main screen of the PortalGuard Configuration Editor, click the red 'Apply to PortalGuard Server' button.
  12. Click the 'Sync' button.
  13. Upon the next login, users will now see an option to Remember this Device:
    • PortalGuard 2FA - Remember This Device
  14. Checking this box will prevent the user from being prompted for 2FA within this browser, for the duration of the 'Expiration Period' configured in the Security Policy. Users may also enter a 'Browser Description' to assist with defining which browser has been remembered:
    • PortalGuard 2FA - Remember This Device Details
  15. Users can view and manage Remembered Sessions from the PortalGuard Account Management Page after authentication:
    • PortalGuard 2FA - Remember This Device: Management

REV. 09/2018 | PortalGuard

  • 61
  • 11-Sep-2018
  • 1263 Views