About this article
This article contains explanations and solutions to multi-factor authentication prompts, which run at midnight. Sections in this article:
- How does the Templafy authentication process work?
- Conditions for Templafy to refresh the JWT
- Solution 1: Adjusting the MFA conditions
- Solution 2: Group Policy – Hibernation Mode
How does the Templafy authentication process work?
Templafy uses JSON Web Tokens (JWT), an open industry standard RFC 7519 method for representing claims securely between two parties. The Templafy Desktop application uses a refresh token to verify the user access to the tenant and content.
This refresh token has a lifetime of 24 hours and will be refreshed by the Templafy Desktop application every day around midnight (the load is distributed throughout the first hour after midnight).
To refresh the token, Templafy will send an authentication request to the user’s Identity Provide (IdP). If the IdP has an MFA condition in place for this request, the end user will be prompted to confirm the authentication process.
Conditions for Templafy to refresh the JWT
Once the refresh token has expired, the Templafy desktop application will attempt to re-authenticate the user by requesting a new JWT under the following conditions:
- If the computer is asleep or turned off, Templafy desktop will refresh the token once the user logs into Windows and automatically start the Templafy desktop application.
- If Windows and Templafy Desktop are still running after midnight.
Depending on the MFA conditions this re-authentication process will require for the user to confirm the authentication attempt, preventing the Templafy Desktop application from seamlessly (read silently) refreshing the SSO token.
Solution 1: Adjusting the MFA conditions
It is recommended to define MFA conditions that do not require user confirmation upon every Templafy authentication request but rather under specific conditions. This will provide an improved user experience and an uninterrupted workflow.
The specific MFA conditions must be reviewed by your security team, but an example could be:
|MFA challenge when||Login the first time (any device, any location) - Stored for full session (~8 hours)|
|Exception||Using a Managed Browser from a Corporate device (native login) will not challenge MFA; in Templafy One we use Internet Explorer, Templafy Hive uses Edge Chromium (Webview2)|
Solution 2: Group Policy – Hibernation Mode
If an MFA challenge is required for every authentication process, it is possible to push a group policy to all users' machines to change the Microsoft power settings.
An example setting could be that after one hour of inactivity, the machine goes into hibernation or sleep mode. Entering this mode Windows will automatically save all work and close the Templafy Desktop application, thus preventing the authentication request at midnight.
Even though this solution solves the authentication prompts at midnight, it will prevent the SSO process from being seamless.
If you have any questions regarding your current MFA setup, please reach out to your internal IT department or system administrator.