User Authorized to Bypass MFA
Identifies when a user is exempt from using Multi-Factor Authentication (MFA) because of the configuration/settings of a newly assigned policy. Duo users who have been assigned Bypass status or placed in a Bypass Group will also fail this check. These failures can highlight unintended consequences of a particular policy, or may indicate anomalous admin behavior if there is no legitimate reason for the change.
Although there might be valid reasons for certain users to bypass MFA, these configurations should be used sparingly to minimize security risks because they make the impacted accounts much easier to compromise. Leaving Duo users in Bypass for extended periods is highly discouraged as they are never required to use additional authentication methods at log in and will skip all policies meant to govern access, including Trusted Endpoint.
Recommended Actions
Contact the admin who made the change to validate that this action was legitimate. Review that this change is appropriate for a given user's situation and if relevant, confirm that the admin has a plan in place to update the user accordingly as soon as possible.
If there are many users failing this check, review internal operating procedures that allow for this change and consider configuring role based access within your systems to limit who can make these changes if possible. If not, consider modifying related organizational processes to prevent these events from happening regularly.
Compatibility
Last updated