In this article, we will go over the new Rhombus updates for 2-factor authentication:
Two-Factor Authentication Update (2FA)
Whenever new users log in from a browser or mobile app, they will be prompted to go through a captcha and 2-Factor Authentication.
Once users have gone through this first login process, they will no longer need to go through a captcha, but they will be prompted to go through 2FA.
This 2FA requirement can be adjusted at the org level with a new feature released allowing users to opt out of needing 2FA for trusted devices. In addition, an account-wide setting will be made available to specify after how many days users will need to re-authenticate.
When logging into their account, users will have three opportunities to enter the correct password before going through the captcha and 2FA process, even if they are in their opt-out period. If a user repeatedly fails to enter a valid password, that device will become untrusted. If 10 combined failed login attempts occur from any untrusted source, that account will be locked for 10 minutes for any untrusted source. Trusted devices will still be able to log in.
- Users on untrusted devices must solve a Recaptcha when entering a password ("I'm not a robot"; a device becomes trusted after successful login).
- By default, 2FA will be enabled for new users. However, when entering a 2FA code, the user can "skip 2FA for future logins" on a per-device basis if enabled by the org.
- A lockout mechanism was added when too many incorrect passwords are entered (10 for untrusted devices; a warning is given when 1-3 tries remain).