How to bypass MFA for users when they are within the corporate network or on a managed device.
MFA is optional but strongly recommended for organizations. Under certain conditions, organizations may choose to bypass the default multi-factor authentication behavior. Akamai provides customers with configuration options that allows an administrator to bypass its MFA capabilities in the following circumstances:
- When the user is accessing the application from a corporate network, using a specific on-premise subnet IP.
- When the user is using a managed device with a valid client certificate. (see limitations in Configure bypass MFA criteria for an Akamai identity provider)
- When the user is inside a corporate network, using a specific on-premises subnet IP with a managed device that has a valid client certificate. (see limitations in Configure bypass MFA criteria for an Akamai identity provider )
Use bypass MFA only if you understand the risks and agree to assume responsibility for them.
Bypass MFA only applies to MFA factors like SMS, Email, TOTP, DUO and does not apply to certificate-based authentication of IdP. Bypass MFA cannot be used with PCI DSS MFA.
The workflow is:
STEP 1: If you’ve configured an MFA policy in Akamai identity provider (IdP), then also add one or multiple bypass MFA criteria in the IdP. By default, the bypass MFA criteria will apply to all applications using this IdP.
STEP 2: Use the identity provider as the authentication source for the application you want to bypass MFA. Assign the directory the user belongs to this identity provider.
STEP 3: When the user accesses the application or the identity provider, and the bypass criteria is met, MFA is not prompted for the user. If any of the bypass MFA criteria is not met, the user is prompted for MFA.