Users not prompted for Symantec VIP MFA or 2-factor authentication after disabling the Remembered Device feature
search cancel

Users not prompted for Symantec VIP MFA or 2-factor authentication after disabling the Remembered Device feature


Article ID: 257248


Updated On:


VIP Service


After disabling the Remembered Device option, users are directly logged in and Radius Validation Server logs show the authentication was successful.


This behavior is observed when Intelligent Authentication (IA) is enabled at the VIP manager account level:

IA uses three risk engines: A rules Engine, a Behavior (learning) engine, and a Device engine.  

Rules Engine: Match against various configurations and data feeds to determine if a transaction is risky (e.g. a list of risky IPs or risky countries).

Behavior Engine: Match against past transactions for a user to determine if that user's behavior is unusual (e.g. new user, the user logging in with elements of their user agent string, browser version, unusual travel patterns, etc).  Initially, when unusual behavior is triggered, the transaction is flagged as risky and the end-user is challenged for MFA. However, over time, similar repetitive behavior creates a pattern that lowers the risk score for that user. Bbecause they passed MFA prompts successfully, that behavior is no longer flagged as risky.

Device Engine: This provides a digital fingerprint stored on a device.  A user login without a fingerprint (unrecognized device) is treated as risky.  If VIP IA subsequently receives a DenyRisk call with a request to remember the device, and there is a JavaScript writeTag() call to persist the fingerprint on the device, then the device will be remembered. This process can be automated by the VIP javascript included on your login page.  A remembered device will not be treated as risky.


Summary: The VIP IA system collates the risk evaluations of each risk engine.  If the risk contribution of each engine results in a risk score below the risk threshold configured in VIP Manager IA settings, the transaction is treated as non-risky.  

If VIP APIs are integrated into your application, you can evaluate the IA result and decide how to handle the risk level. (for example, MFA step-up auth, a request to call a call center for verification, etc).  

If VIP JavaScript is integrated into the login page, you can automate what happens when IA returns a risk evaluation result. For example, when a risky transaction is detected, an MFA step-up (for example, a push message to the user's phone) will occur. When a transaction is evaluated as non-risky, there is no need for MFA step-up authentication (the user will not receive a push message to the phone), and the user is granted access to the requested resource.

VIP Intelligent Authentication is a VIP Authentication method. If an IA authentication passes successfully without a risky result, this is considered a secure attempt, and no additional authentication from the user is required.