Mandate 2FA for Domain Users but not local DPS User

Hello,

What DVLS version are you using?

The only other method is to set the 2FA Usage to Optional per user but you'll have to manually manage the 2FA settings for each user account. There is no method to disable 2FA for specific accounts when the 2FA Usage parameter is set to Required.



Best regards,

DS 2020.3.17.0

We want to leverage user auto-creation so I guess we'll have to go 2FA on all for now. If we can possibly put in a feature request for disable 2FA on a per user basis that would help. Our use case is that we do prefer to have 1 backdoor non-2FA account. However, if it's possible to just disable 2FA when you are on the local DS server itself by modifying the web.config or something like that, that would be sufficient.

Hello,

We have designed a policy engine that would allow you to skip MFA according to certain criteria, like IP masks, weekend access, etc.

Since we are already close to feature complete for our 2021.1 cycle, I fear it will be on the board only for 2021.2, planned for Q4.

Best regards,

Ok, in theory could I create an MFA bypass for 127.0.0.1 for local logins when the user is on the DS server itself? Any risks behind that?

For all new features, we work with our Security team and they review everything.

I cannot say for the risk of spoofing localhost origins, but I'll add that to our Concerns list.