Flexible Multi-Factor Authentication (MFA) Controls
Problem Statement:
Currently, the system requires MFA at every login, regardless of the device or session context. While secure, this "one-size-fits-all" approach is causing significant MFA fatigue among users and disrupting workflows on trusted, managed devices.
Proposed Enhancement:
I am requesting the implementation of more granular MFA controls that allow for a better balance between security and user experience. Specifically, I propose adding the following features:
"Remember This Device" Option:
Allow users to opt-in to a trusted device status (e.g., for 14 or 30 days). This would suppress MFA prompts for subsequent logins on that specific browser/device until the duration expires or the session cookie is cleared.
Adaptive/Risk-Based MFA:
Implement logic that triggers MFA only when "out-of-pattern" behaviour is detected, such as:
Logins from a new IP address or geographic location.
Accessing the system from an unrecognized device or browser.
Attempts to perform high-privilege actions (e.g., password changes or data exports).
Configurable Re-authentication Intervals:
Provide administrators the ability to set different MFA frequencies based on user roles (e.g., standard users every 7 days vs. admins at every login).
Benefit:
These updates will reduce "notification spam," lowering the risk of users reflexively approving malicious MFA requests while maintaining high security for sensitive actions and unknown access points.
Goal:
Move from a static "every login" requirement to a dynamic, risk-aware authentication model.
Danny Lynn
shared this idea