Conditional "AllowPauseforDays" feature for specific Access Policies

[derSchweiger]

Initial situation:
Within the ADFS properties you have the choice to configure the KMSI (Keep Me Signed In) settings. These settings provide users with the ability to decide, whether or not they want to stayed logged in for an extended period of time. The ADFS MFA plugin provides a similar feature with the "AllowPauseForDays" option.

As an administrator you can enable the KMSI feature with PowerShell:

PS C:\Users\adm.kschweiger> Get-AdfsProperties | fl *kmsi*

KmsiLifetimeMins : 44640
KmsiEnabled      : True

If you have enabled this feature, users get an additional checkbox while providing the first factor:

Additionally, if the ADFS MFA feature "AllowPauseForDays" has also been enabled, users have the option to not be prompted for the second factor for the configured time period (in this case 90 days):

Problem
For some applications it might be necessary to ask for the first and second factor each time the user wants to access this application (e.g. VPN client). To fulfil this requirement, the ADFS access policies provides you with the "Require users to provide credentials each time at sign-in" option:

If you enable this option within the corresponding access policy, the "Keep me signed in" checkbox gets removed:

But after providing the second factor, you still get the ability to trigger the "AllowPauseforDays" feature within the ADFS MFA plugin or, if you have selected this checkbox previously, you won't get prompted for the second factor at all.

In my opinion, the best workflow would be to also suppress the "AllowPauseforDays" option. If you set an access policy that triggers a new sign-in every time you access this application, you shouldn't be able to safe the second factor as well. Currently, it's only possible to enable/disable the "AllowPauseForDays" feature for all applications. There is no way to exclude particular apps from this rule. This behaviour might result into a security risk.

If you have any questions, please let me know.

[redhook62]

hi @derSchweiger

Yes, I completely agree with you.
However this functionality was added for a specific request. Overall,
Some decision-makers/managers do not like to go through MFA and have asked to have the same functionality as that offered by Microsoft for Azure AD.

This feature can and is default to inactive.
The recommendations made by the security teams are perceived as unbearable constraints...

Indeed, what should be done by default without the possibility of deactivating is to align with the ADFS KMSI. and to bypass the MFA if the user goes through the KMSI.

Maybe for version 4.0 by the end of the year.

regards

[derSchweiger]

Hi @redhook62,

thank you very much for your comment!

Don't get me wrong. Having the ability to enable the "AllowPauseForDays" feature is a great improvement for this plugin and to be honest, my users don't want to work without it. But from a security perspective it shouldn't be possible to overrule the "Require users to provide credentials each time at sign-in" parameter within an access policy.

If the access policy for an application has the option "Require users to provide credentials each time at sign-in" enabled:

• the second factor should be queried all the time without an exception
• after providing the second factor the user shouldn't have the option to tick the checkbox for "AllowPauseForDays". So basically, the following site should be suppressed: https://user-images.githubusercontent.com/79589007/268937146-6b789fda-ecf1-4946-9ae9-8c8df854c8e8.png

Another feature which is not security related but could improve the usability:
If the KMSI checkbox has been ticket by the user and the "AllowPauseForDays" is enabled by an administrator, the "AllowPauseForDays" checkbox should be set automatically to true and the site (https://user-images.githubusercontent.com/79589007/268937146-6b789fda-ecf1-4946-9ae9-8c8df854c8e8.png) shouldn't be displayed.

[redhook62]

@derSchweiger

One thing is certain, we do not have the possibility of intervening on Microsoft's pages, except to replace the authentication modes (which will certainly be an additional feature in the future).

And I think that the "AllowPauseForDays" can only be active if the KMSI and the persistence of SSO are not activated,
In any case the ADFS configuration will be prioritized.

Another important point, which we are not considering and have always refused to do, namely: manage the triggering of MFA from a user or application "context". this MUST be managed at the ADFS level.

regards

[derSchweiger]

One thing is certain, we do not have the possibility of intervening on Microsoft's pages, except to replace the authentication modes (which will certainly be an additional feature in the future).
Yes, that's understandable.

And I think that the "AllowPauseForDays" can only be active if the KMSI and the persistence of SSO are not activated,
In any case the ADFS configuration will be prioritised.
Why? If the KMSI setting has been enabled by the administrator, users have the choice to persist the session for a certain period of time. Let's say that the KmsiLifetimeMins has been set to 30 days. Within these 30 days, the user doesn't need to provide his first factor again. So it would be very convenient, if this also applies to the second factor. Am I missing something here?

Another important point, which we are not considering and have always refused to do, namely: manage the triggering of MFA from a user or application "context". this MUST be managed at the ADFS level.
Yes, I agree. If I've understood the workflow correctly, the "AllowPauseForDays" feature sets a cookie named "MFAPersistent" which will then suppress the second factor. However, if the access policy is configured to "Require users to provide credentials each time at sign-in", this cookie shouldn't be valid for this logon attempt and the second factor should be enforced.

[redhook62]

Hi @derSchweiger

Some details.

Having retested the use of the KMSI, I can confirm several things to you

• KMSI enabled by ADFS administrator
  • the user is required to log in
    • Login (pwd, certificate, device registration, Windows Hello for business, Windows Authentication
    • MFA (any active provider)
    • if AllowPauseForDays (false by default) is active the user can suspend the MFA
• if the user have checked ADFS "Remember me" at next logon the MFA is not called by ADFS, regardless of the status of AllowPauseForDays
• If you force the user to log in every time, login/MFA process runs normally (with AllowPauseForDays active or not)

The thing we will do as indicated previously,

if the KMSI ADFS is activated by the administrator, the suspension of the MFA will be inactive (whether this option has been activated or not), so at each forced request on a relying party, the login process /MFA will be enabled.

If the KMSI ADFS is not activated, you will have the Global possibility to suspend the MFA and not by Relying Party with a particular configuration.
Access policies are the responsibility of ADFS configuration, we don't want to interfere.

So my recommendation right now is to enable ADFS KMSI if you want and disable "AllowPauseForDays".
In version 4.0 these two possibilities (KMSI, AllowPauseForDays) will be exclusive with priority given to the ADFS KMSI in fact.

regards

[derSchweiger]

Great, thank you very much for testing @redhook62!
So for our deployment we are going with your recommendation: Enabling ADFS KMSI and disabling MFA "AllowPauseForDays". It should fulfil both needs:

• Giving users the ability to remember there logon for most applications
• Giving administrators the ability to force logon (and MFA) for certain high security applications (like VPN) via access policies