cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Login once with per day with 2FA and rest of day with username/password only

ArjenVHooydonk
Contributor

on ‎09-20-2023 12:53 PM

0 Kudos

Hi,

From our security team I have a requirement that a group if users login to SAP SuccessFactors using 2FA once per day. Once they have logged in with 2FA they need to login using username/password only for the rest of the day. The rest of the employees login using username/password every single login.

For some reason the first scenario is working as required, but the second isn't. We have setup the IAS session to stay alive for 8 hours. When a user in the 2FA group logs in after the 30 minute time out in SuccessFactors expires they only need to enter username/password (seems like a bug to me). But the secord group (not using 2FA, only username/password) doesn't have to login again and can keep on using SuccessFactors for the entire 8 hours.

Is it possible to configure this in Identity Access Services (IAS)? As far as I know you can only configure how long the IAS session remains alive, so if the session ends the user will need to login again with 2FA. No way to switch between 2FA and username/password depending on last time 2FA was used.

Hope someone can point me in the right direction. @haidongsong @harjeetjudge 

 

Arjen

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

harjeetjudge
Product and Topic Expert
Product and Topic Expert
‎09-21-2023 7:36 PM

There are couple settings in IAS that you should explore further:

1) Under Application & Resources >> Application >> <select your SFSF app> >> Authentication and Access tab >> Force Authentication.  This will require the user to specify password each time the login.

2) Under Application & Resources >> Tenant Settings >> Authentication tab>> Multi-Factor Authentication >> Trust this browser option for users: Set the number of days for which the users will not get prompted for second-factor authentication, if they sign in from the same browser.

With the combinations of these 2 settings you should able achieve the desired behavior.

Show replies
Show replies
ArjenVHooydonk
Contributor
‎09-22-2023 12:22 PM
0 Kudos

Great, thanks! Do you know the definition of a day in the Multi-Factor Authentication tab? Does that look at the calendar day or a 24 hour counter from when you login?

Would it be possible to automatically tick the "Trust This Browser" box (same way you can configure the system to remember your login)? Or is it always a manual tick by the user?

haidongsong
Product and Topic Expert
Product and Topic Expert
‎09-20-2023 5:30 PM

you are correct that we can not set up a conditional rules to switch between 2FA and username/pwd depending on the last time 2FA login. 

BTW, what are the issue with a 8hr timeout period for regular users using username/pwd? 

Show replies
Show replies
ArjenVHooydonk
Contributor
‎09-20-2023 11:11 PM
0 Kudos
thank you for your response. The security officers deem the 8 hour time out period too long and want to maintain the 30 minute inactivity time out used by SuccessFactors
haidongsong
Product and Topic Expert
Product and Topic Expert
‎09-21-2023 4:21 PM
0 Kudos
then in order to maintain the 30 min time out, the IAS session time out would need to be set at 30 min as well.
Ask a Question