none
ADFS 4.0 - Protect Change Password Link with MFA RRS feed

  • Question

  • Hi,

    We've enabled MFA in ADFS for our federated applications.

    We also would like to enable the "Change Your Password" feature/link (https://federation.com/adfs/portal/updatepassword/).

    If we enable that endpoint, the user can get there without providing MFA.
    How can we enforce MFA for that Change Password Link?

    Kind Regards,
    Andreas


    AN

    Tuesday, October 2, 2018 2:50 PM

Answers

  • But that's the catch 22. MFA kicks in after a successful auth. If your password has expired, you cannot perform a successful auth before you effectively changed your password.

    You should be able to change your password as long as you stick to the password policy (minimum password age in that case)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Tuesday, October 9, 2018 1:13 PM
    Owner

All replies

  • To protect the page itself? I don't follow.

    MFA kicks in only after a successful primary authentication. So it will kick in after a password change if the criteria are met.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 5, 2018 6:22 PM
    Owner
  • Yes, that is my question. Can you get MFA to kick in before getting to the Password Change Page?
    But it sounds like that is not possible then.

    I also noticed that, if I go directly to the Change Password Link/Page, I can only change my password if my AD account is marked with "User must change password at next logon". Is that expected behavior, or should you be able to change your password there any time?

    Thanks,
    Andreas


    AN

    Tuesday, October 9, 2018 9:29 AM
  • But that's the catch 22. MFA kicks in after a successful auth. If your password has expired, you cannot perform a successful auth before you effectively changed your password.

    You should be able to change your password as long as you stick to the password policy (minimum password age in that case)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Tuesday, October 9, 2018 1:13 PM
    Owner