Initial thoughts
The following example targets a simple but common use case allowing to skip the second authentication factor on remembered browsers. It allows the user to choose not to be asked for the second factor for a while if using the same browser.
It roughly works as follows:
After successful two-factor authentication, Airlock IAM stores a persistent Remember-Me cookie in the browser. The cookie is valid for a certain amount of time and it is only issued if the user checks a corresponding checkbox on the 2nd-factor page.
If the user returns with the same browser on a new session, the Remember-Me cookie is validated and the user does not have to provide the second factor when logging in.
- For subsequent sessions with the same browser, the login process is simplified until:
- The Remember-Me cookie has expired (in the browser or on IAM).
- The Remember-Me cookie has been tampered with.
- A different user logs in with the same browser (not using the browser's private mode).
- A user administrator has deleted the stored Remember-Me token on IAM.
Note that we strongly recommend limiting the validity time of the Remember-Me cookie in the configuration.