Trust this browser/device – persistent 2nd-factor authentication

Initial thoughts

The following example targets a simple but common use case allowing to skip the second authentication factor on remembered browsers. It allows the user to choose not to be asked for the second factor for a while if using the same browser.

TrustThisBrowser

It roughly works as follows:

After successful two-factor authentication, Airlock IAM stores a persistent Remember-Me cookie in the browser. The cookie is valid for a certain amount of time and it is only issued if the user checks a corresponding checkbox on the 2nd-factor page.

If the user returns with the same browser on a new session, the Remember-Me cookie is validated and the user does not have to provide the second factor when logging in.

  • For subsequent sessions with the same browser, the login process is simplified until:
  • The Remember-Me cookie has expired (in the browser or on IAM).
  • The Remember-Me cookie has been tampered with.
  • A different user logs in with the same browser (not using the browser's private mode).
  • A user administrator has deleted the stored Remember-Me token on IAM.

Note that we strongly recommend limiting the validity time of the Remember-Me cookie in the configuration.

Prerequisites

Our use case requires a simple flow with the following steps in the shown order:

simple_Remember-me_flowsteps_2nd_factor

Step name

Tags/Guards

Description

Step 1 –
Username Password Authentication Step

  • Tags On Success
  • WEAK_AUTHENTICATION
  • PASSWORD_VERIFIED
  1. This step validates username and password:
  2. If the credentials are valid, the authentication is successful.
  3. If the credentials are invalid, the authentication fails.

Step 2 –
Remember-Me User Identifying Step

  • Pre Condition
  • WEAK_AUTHENTICATION
  • Tags On Success:
  • STRONG_AUTHENTICATION
  1. This step validates the Remember-Me token:
  2. If the Remember-Me cookie from the user's browser is valid, the step issues a tag. The tag causes Step 3 to be skipped because of its skip condition.
  3. If the Remember-Me cookie is missing or invalid, no tag is issued and the Step 3 is not skipped

Step 3 –
Airlock 2FA Step for Authentication

  • Skip Condition
  • STRONG_AUTHENTICATION
  • Tags On Success
  • STRONG_AUTHENTICATION
  • Activates
  • Step 4

This step verifies the user's second authentication factor (Airlock 2FA in this example).

The user may activate the next step using the dynamic step activation (DSA) feature. This leads to the Don't ask me again for 30 days checkbox on the page.

Step 4 –
Remember-Me Token Generating Step

  • Pre Condition
  • STRONG_AUTHENTICATION

This step needs to be activated.

This step generates a Remember-Me cookie, sends it to the browser, and stores the necessary information in the IAM database.

The step needs to be activated using the dynamic step activation (DSA) feature. If it is not activated, it is skipped.

The precondition assures that the step can only be executed after successful strong authentication. The precondition can be used to avoid configuration mistakes and is not strictly necessary in this example flow.

To get the expected results, the logout behavior configuration of the Remember-Me feature must be set to KEEP_COOKIE.

  • Please note:
  • The Remember-Me User Identifying Step must be placed after the Username Password Authentication Step. This is because the Username Password Authentication Step determines who is logging in. This may be a different user than the one that stored the Remember-Me cookie in the browser. If this is the case, the Remember- Me User Identifying Step ignores the Remember-Me cookie. However, the Username Password Authentication Step - if it were placed after the Remember-Me User Identifying Step - can not handle this situation and would fail.
  • The dynamic step activation (DSA) for Step 4 - resulting in the Don't ask me again for 30 days checkbox - must be in the second-factor step (Airlock 2FA Step for Authentication) and cannot be done in the Username Password Authentication Step.

Example sequence with two browser sessions

The following simplified sequence diagram shows 2 different sessions. In Session 2 the second authentication step is skipped because of the Remember-Me cookie.

remember-me_cookie_2nd_factor
  1. Session 1
  2. The user logs in with the username and password.
  3. The user provides the second factor (Airlock 2FA) and checks the Don't ask me again for 30 days checkbox.
  4. On successful authentication, IAM generates a new Remember-Me cookie that is valid for 30 days. The Remember-Me cookie is sent to the browser and the necessary information is stored in the IAM database.
  5. Session 1 is terminated (either by the user logging out or by a timeout). The logout behavior configuration tells IAM not to invalidate the Remember-Me cookie.
  1. Session 2
  2. The user re-authenticates with the username and password with the same browser. The Remember-Me cookie is sent to IAM.
  3. Because the Remember-Me cookie is valid, the Airlock 2FA authentication flow step is skipped.