MFA: Remember 'Trust this device' setting after 24 hours
I understand the ATO requires you to enter 2FA daily, but that doesn't mean the tickbox should uncheck itself every day.
If I tick trust this device on Monday and login using 2FA, I can then login without 2FA for 24 hours.
After that 24 hours, I need to login using 2FA again AND I have to tick the trust this device box again to get another 24 hour reprieve.
Let us tick the box or another box that will remember our choice ongoing. So each day I only have to login using 2FA again but my choice to trust that device for 24 hours is remembered.
-
Jordan Tanner commented
Xero has the most aggressive MFA of any software platform I use (BY FAR), including that of my bank.
Please allow users (or admins) the option to relax MFA timeout.
-
Sam Gray commented
@Koti,
It used to work like 1 and 3 (30 days) then they changed it to work like 1 and 3 but only for 24 hours.
They won't go back to 30 days...
What I want in lieu of that is for them to keep the box ticked (if I tick the box), so that when I am forced to use MFA on logging in >24h later, I don't have to tick the box again and I won't have to use MFA again for 24h (unlike now, where I do, if I forget to tick the box when logging in on day 2) -
Koti Karthick Kumar Vankayala commented
I work as a senior Identity and Access management consultant. And my recommendations are below,
1. If a user checks the box - trust my device then trust the device and skip MFA for next login
2. If the duration of next login is more than 3 days ideally considering the weekend, ask for MFA again else keep skipping the MFA. This is like Idle time in the login behaviour.
3. Consider refreshing MFA every 30 days. This means even if the user is regularly logging in force them to MFA after 30 days. This is max MFA duration.I can provide clearer instruction if required.
Cheers.
-
Chris Clark commented
Totally agree... I love Xero, but I absolutely HATE that I have to use 2FA every time I login. You really should allow remembering my authenticated login for a period of time (ideally around 30 days). I have many companies which have Xero accounts and all of my various teams that use Xero lose time from having to login with 2FA EVERY time. This is literally costing me thousands and thousands of dollars of productivity each year across all my companies/people using Xero.
-
Grant McQuoid commented
Now that we have daily authentication when logging into Xero why do we have to also tick the Trust this device button - please remove that requirement its a needless click which is inefficient
I'd also recommend you challenge your development team to reduce the number of clicks to do things in Xero, at times it feels like your programme constantly requires multiple menu clicks to do things when one selection should be enough.