Articles in this section

Templafy multi-factor authentication prompts at midnight

Avatar
Maria Bendixen
Updated
Follow

About this article

This article contains explanations and solutions to multi-factor authentication prompts, which run at midnight. Sections in this article: 

 

Prerequisites

 
  • This guide applies to both Templafy One and Templafy Hive since it is about Multifactor Authentication which in the end is regulated on the client side
  • If you have any questions regarding your current MFA setup, please reach out to your internal IT department or system administrator.

 

How does the Templafy authentication process work?

Templafy uses JSON Web Tokens (JWT), an open industry standard RFC 7519 method for representing claims securely between two parties. The Templafy Desktop application uses a refresh token to verify the user access to the tenant and content.

This refresh token has a lifetime of 24 hours and will be refreshed by the Templafy Desktop application every day around midnight (the load is distributed throughout the first hour after midnight).

To refresh the token, Templafy will send an authentication request to the user’s Identity Provide (IdP). If the IdP has an MFA condition in place for this request, the end user will be prompted to confirm the authentication process.

 

Conditions for Templafy to refresh the JWT

Once the refresh token has expired, the Templafy desktop application will attempt to re-authenticate the user by requesting a new JWT under the following conditions:

  • If the computer is asleep or turned off, Templafy desktop will refresh the token once the user logs into Windows and automatically start the Templafy desktop application.
  • If Windows and Templafy Desktop are still running after midnight.

Depending on the MFA conditions this re-authentication process will require for the user to confirm the authentication attempt, preventing the Templafy Desktop application from seamlessly (read silently) refreshing the SSO token.

 

 
  • Please note, the MFA conditions are configured within the user’s IdP side and cannot be changed by Templafy.
  • Please note, MFA with Duo Security is not supported with the protocol OpenID Connect (Only SAML2)

 

 

Solution 1: Adjusting the MFA conditions

It is recommended to define MFA conditions that do not require user confirmation upon every Templafy authentication request but rather under specific conditions. This will provide an improved user experience and an uninterrupted workflow.

The specific MFA conditions must be reviewed by your security team, but an example could be:

MFA challenge when Login the first time (any device, any location) - Stored for full session (~8 hours)
Exception Using a Managed Browser from a Corporate device (native login) will not challenge MFA; in Templafy One we use Internet Explorer, Templafy Hive uses Edge Chromium (Webview2)

 

 
  • Please note, If Azure AD is being used as the IdP, Microsoft does not recommend to use the legacy per-user MFA setup anymore. Instead it is recommended to use modern authentication such as Security Defaults or a Conditional Access.

    The disadvantage of the legacy per-user MFA configuration is that it is either enabled or disabled. As a result, the end user will either always be prompted with a MFA request, preventing the SSO process from being truly seamless.

 

 
  • Please note that Security Defaults is available for free but for Conditional Access policies, it is required to have one of the following MS subscriptions:
    • Microsoft 365 Business Premium
    • Microsoft 365 E3 and E5
    • Azure AD Premium P1 and Azure AD Premium P2 licenses

 

Solution 2: Group Policy – Hibernation Mode

If an MFA challenge is required for every authentication process, it is possible to push a group policy to all users' machines to change the Microsoft power settings.

An example setting could be that after one hour of inactivity, the machine goes into hibernation or sleep mode. Entering this mode Windows will automatically save all work and close the Templafy Desktop application, thus preventing the authentication request at midnight.

Even though this solution solves the authentication prompts at midnight, it will prevent the SSO process from being seamless.

If you have any questions regarding your current MFA setup, please reach out to your internal IT department or system administrator.

 

Related articles

 

 

Related articles

Comments

0 comments

Article is closed for comments.