Skip Second Factor for Remote Access

You can allow users associated with the Imprivata Confirm ID Remote Access workflow to skip the second authentication factor:

  1. In the Imprivata Admin Console, go to UsersWorkflow policy.

  2. Go to Remote access workflows > Log In and check Allow users to skip the second factor on remembered devices for...

  3. Select how long the user can skip second factor (1 hour minimum — 120 days maximum). The default is 30 days.

  4. Click Save.

About Skip Second Factor

  • This feature does not turn off second factor for all remote access users: each user will be presented with the option Remember device for X days (30 days is the default).

  • Skip Second Factor is an option for all users associated with the Remote Access Log In workflow.

  • Skip Second Factor is available only for remote access gateways that use Imprivata cloud-based authentication with the Imprivata Confirm ID graphical user interface. The legacy RADIUS remote access experience does not support Skip Second Factor.

  • Remember device — when selected, the user will not be prompted for a second factor on this browser on this computer for this Imprivata Confirm ID enterprise. Any other browsers and any other computers this user logs into will still enforce two factor authentication.

    If the user logs in from other browsers (on the same computer or another computers) she can choose to skip second factor again.

  • If she logs into another Imprivata Confirm ID enterprise from the same browser, her Remember device selection will not apply.

  • Cookies — Skip Second Factor is not supported if cookies or local storage is disabled or deleted in the browser:

    • The browser must be able to create cookies when the user enables Skip Second Factor.
    • Later, the browser must be able to access those cookies when the user expects to skip second factor at subsequent logins.

Typical User Workflow

  1. The user enters her username and password in the Imprivata Confirm ID interface at her remote access gateway.

  2. She clicks Log in.

  3. The interface for her second authentication method appears. With this feature enabled, she will also see a new option: Remember device for 30 days (the duration you selected above will appear here). A popup help message recommends Use only for trusted workstations.

  4. The user selects this option.

  5. The user completes her second factor authentication.

    The user will not have to complete two factor authentication at this browser on this computer again until the period elapses.

At any time, you can enforce two factor authentication again for a user that has selected to skip it. For example, if a user reports someone has access to her browser, or you have any other security concerns about a specific user:

  1. In the Imprivata Admin Console, go to UsersUsers and find the specific user.

  2. Open the Edit User page.

  3. In the section Require second factor for log in, click Require 2FA on all devices.

  4. Click Save.

    Two factor authentication is now enforced for this user; the next time this user completes two factor authentication, she can again choose to skip.

At any time, you can enforce two factor authentication again for all users:

  1. In the Imprivata Admin Console, go to UsersWorkflow policy.

  2. Go to Remote access workflows > Log In and un-check Allow users to skip the second factor on remembered devices for...

  3. Click Save.

    Two factor authentication is now enforced for all users. They will not be presented with the Remember device option again.

At any time, you can shorten or lengthen the duration of Skip Second Factor for all users:

  1. In the Imprivata Admin Console, go to UsersWorkflow policy.

  2. Go to Remote access workflows > Log In and edit the value for Allow users to skip the second factor on remembered devices for...

  3. Click Save.

    If you have reduced the duration for Skip Second Factor, two factor authentication will be enforced for all users who already selected it if the new time period is already elapsed. The next time users complete two factor authentication, they can again choose to skip.

    If you have extended the duration for Skip Second Factor, the new duration will be enforced for all users who already selected it and all forthcoming users.

Other Imprivata Confirm ID Grace Periods

You may improve the user experience for other Imprivata Confirm ID workflows by providing a grace period where Imprivata Confirm ID skips second factor authentication:

  1. In the Imprivata Admin Console, go to UsersWorkflow policy.

  2. In the section Workflow options, set a grace period (24 hours, 59 minutes maximum), where a user does not have to complete second factor authentication after proximity card authentication and/or fingerprint authentication.

  3. Click Save.

NOTE: This selection does not apply to Remote Access or EPCS workflows.