Hi,
Is there a hidden feature to change the 2 factor auth periodicity or have it requested only when a non previously known IP is spotted?
Why? As much as it enhances security, it can be bothersome to have it required on every connection and take some people away from your community.
If you have a good spam prevention enforcement + email verification on sign up, maybe a periodicity of 1x per week would be good enough.
Hmm how often are you getting prompted for 2FA?
Just noting that I’ve never been prompted for 2FA on meta as my session is rarely/never expired.
There are some session settings you can set: /admin/site_settings/category/all_results?filter=session
You could try to extend the session age, but I feel like a user who hasn’t opened the community in 60 days should probably be prompted to log in again.
Something else you can explore is also SSO, so there isn’t a need for your user to undergo 2FA.
Hi,
On meta,2FA is not enforced. But if we take into account sessions duration even if I enforce it via admin/enforce_second_factor, a high session duration will prevent it to be asked so it solves the issue.
Thanks for the administration link !