MFA: remember device permanently (& remember per device, not per app)
1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
2. Make it so that MFA is remembered once per device (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).
Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or account.
Additionally, when using several different Microsoft apps on multiple devices (computer, mobile phone, tablet), currently every one of our 48 staff has to re-authorise for MFA 5 or more times every 60 days (Windows: once for Outlook/MS Office, once for Office 365 apps on the web accessed via Chrome, once for OneDrive client; Android or iPhone: once for Outlook app, once for Office 365 apps accessed via Chrome app).
Worse, the OneDrive client app on Windows falls over and does not seem to restart itself if this process is not completed properly, so every 60 days we have several complaints from users about their files not syncing - this can affect vulnerable members of our community given the work we do.
It is not a matter of making it 90 days or some other length of time (even 365 days) - having to renew the MFA authorisation periodically actually decreases security because users get fed up with having to re-enter credentials over and over, and they are then less careful in general with authorisations that pop up, leaving them open to phishing scams on their other online accounts.
Remembering MFA authorisation once per user account per device is just standard from other IT vendors, since it just makes sense. There's no need from a user's point-of-view to authorise that each app separately when we know that the user account on the device is trusted.
We are currently considering updating the Remember MFA settings. You can use Conditional Access Sign-in frequency policy to extend the session lifetime up 365 days.
Seems to be live
"We are currently considering updating the Remember MFA settings. You can use Conditional Access Sign-in frequency policy to extend the session lifetime up 365 days."
- thanks for finally looking at this important issue, Microsoft.
Can you please point us towards where the Conditional Access Sign-in frequency policy is documented? It would have been good to know this a couple of years ago when we first raised the issue.
Charles Roddie commented
This is a requirement for us to enable MFA in AAD.
+1 to this. It is really annoying to do this everytime
+1 to this request.
@Mike, completelly disagree with you. There aren't any reports that may suggest that G Suite is less secure than O365, yet Google has had this "Trust this device forever" functionality implemented fo years with no problems at all, Apple has it also on iCloud accounts and iPhones.
Andrew Colombino commented
Now that the clock is ticking on basic authentication and app passwords for Office 365, the need for this is critical.
Users should only be challenged for MFA if they are actively logging on somewhere and not because of some background token expiration or an arbitrary trust expiration.
Aaron Moran commented
Should certainly be customizable, but please do not make it a global change. In a world where everyone's cookies and passwords are saved and automatically resume sessions, many still consider having to re-authenticate MFA every so often a good practice.
I'm not sure I agree with this line of thinking for all devices. In a connected world, devices are prone to getting hacked at any time, regardless of if it was lost. Also, forcing a device to be reauthorized once every 60 days ensures that a device has not unknowingly been lost. I found this post looking for a way to lower the 60 day limit for certain high level accounts.
Stopping the Onedrive drive sync client must be avoided.
Aleksandar Tanev commented
This must happen asap.
It is such a pain! Especially with the Mail app for iOS - no way regular user can authenticate without tech support!
The expiration of a registered device is like that of passwords. The industry has found that regularly expiring passwords is in fact less secure and so it is probably a matter of time before something like this is recognized in the same light.
That said, I think the existing option is to leverage Intune and the Conditional Access method of enforcing MFA. We have been piloting Azure MFA enforced by Conditional Access for the past few months and this question has come up as the user experience was a concern. It has been difficult to explain to users why they get multiple MFA challenges on a single device. Luckily, we were evaluating Intune at the same time and plan to head that direction.
John Gillanders commented
Hi Microsoft - please review this issue. The first part (removing the 60-day limit and allowing an app/device to be trusted permanently) is the most important part of this. Even setting a 'permanent' option but in the background making it, say, 1,000,000 days (thousands of years) would be a quick fix to this issue.
This topic has been moving up the pages in the most popular and has been in the 'Hot' category for months now, but we still have not heard a single comment from you.
This would help so many organisations and businesses around the world - please give it some attention!
I agree with others. Having to login again to all desktop applications using O365 (Outlook, Teams, OneDrive) is annoying for our users !! It doesn't add security this way.
Julian Davidson commented
We're hitting limits with the *number* of allowed devices and number of allowed *attempts* to register just testing it. - Julian (also from NZ).
There is a partial work-around for this hassle: you can set up trusted IPs (you may need Azure AD Premium for this - I am not sure) here, and at least prevent MFA requests from your company's office network:
Jason Simotas commented
Once I approve a device, why should Microsoft UNapprove it every 60 days. G Suite doesn't have a time limit, nor do any of the other MFA providers that we use. We end up using App passwords where possible since they have no limit. All of this spells LESS security - not more.
Jason Rue commented
Amarendar Puli commented
Totally agree with above idea; MFA can be ruled out for trusted device. Though we have deployed, but very annoying for users. Hope Microsoft comes up with some solution.
Hi Rick S,
Sorry to hear that. :(
Glad we are at least not alone in this. Please encourage as many people as you can to vote for this, so that we can bring it to Microsoft's attention.
Anglican Family Care
Rick S commented
I have not been able to roll out MFA at my organization due to pushback regarding the 60 day limit which devices are rememberd for - this is just an unnecessary hurdle for our users in my opinion, and I completely agree with the OP's discussion above in that it does not add security for trusted devices. It has severely crippled our security because my hands are tied, and I'm not able to roll MFA out to our users.