How to Configure "Remember Me" Functionality for Two-Factor Authentication
Two-Factor Authentication (2FA) is too exacting for end-users, and you want to suppress the OTP prompt where possible to make authentication simpler after successful 2FA, without removing the requirement completely.
Use PortalGuard's "Remember Me" feature to reduce the amount of 2FA prompts presented to the end-user. "Remember" me functions by using an HTTP cookie to identify the device/browser being utilized by the end-user. This feature retains security by forcing the end user to mark the device as trusted AFTER successfully validating 2FA. In subsequent authentication requests, the user is still prompted for username and password.
Important Note: Users will still be forced to do full 2FA if they are using an Incognito/InPrivate window OR if they clear the cookies from the browser.
If Using PortalGuard v6.X or Later: Please note that the "Remember Me" functionality DOES NOT satisfy App-Specific 2FA. Users will still be required to perform full 2FA when accessing an app that is marked to require 2FA, even if the current browser is marked as a valid, remembered browser.
- Navigate to the PortalGuard server and open the PortalGuard Configuration Editor.
- Navigate to the Security Policies tab.
- Click on the Security Policy you wish to edit in order to highlight it. Double click or click on the 'Edit' button to modify.
- Navigate to the Actionstab and then select the Login sub-tab.
- For 2FA, you will need to ensure that the 'PortalGuard Website Login' is either set to 'Two-factor (2FA)', or 'Password only' with the 'Allow End-user 2FA Opt-in?' option enabled.
With the 'PortalGuard Website Login' configured correctly, navigate to the Remember Browser sub-tab:
Check the box labeled 'Allow Users to Remember Browsers?' to enable the "Remember Me" functionality within PortalGuard.
The 'Expiration Period' should be set to the number of days a browser can be remembered for before prompting the user for 2FA once again.
The 'Saved Browser Limit' value represents how many browsers can be 'remembered' for a given user. After the limit has been reached, the oldest remembered browser will be forgotten the next time a user clicks the 'Remember Me' checkbox.
Click the 'Save' button to keep the changes.
On the main screen of the PortalGuard Configuration Editor, click the red 'Apply to PortalGuard Server' button.
Click the 'Sync' button.
Upon the next login, users will now see an option to Remember this Device:
Checking this box will prevent the user from being prompted for 2FA within this browser, for the duration of the 'Expiration Period' configured in the Security Policy. Users may also enter a 'Browser Description' to assist with defining which browser has been remembered:
Users can view and manage Remembered Sessions from the PortalGuard Account Management Page after authentication:
- If neither of these cases are true, you will not be able to proceed with enabling the "Remember Me" functionality.
REV. 09/2018 | PortalGuard