MFA Posture check questions

So, starting to look into MFA and posture checks.

Question 1:
From the documentation:

MFA Posture Checks also support forcing a client to re-submit a valid TOTP on timeout, after locking/unlocking a device, or waking a device from sleep.

Timeouts are set through the timeoutSeconds property. Where values 0 and -1 represent no timeout.

Forcing submission on lock/unlock is set through promptOnUnlock as true or false. After an unlock event the client is given a five-minute grace period before the posture check begins to fail.

Forcing submission on wake is set through promptOnWake as true or false. After a wake event the client is given a five-minute grace period before the posture check begins to fail.

and with a configuration of:


I then apply it to a dial service policy:

What I would be expecting, based on what I read in the documentation, is that should the machine go to sleep, or I lock/unlock the device, within 5 minutes I should be prompted for MFA/ require to input MFA. This is on ZDEW. However, it does not timeout and I can continue to use it. Thought I would ask here to confirm if my thinking is correct.

The expected outcome, is that you need to unlock the Ziti client when logging in / unlocking lock screen / Waking from sleep (which really is lock screen). However, you can work on the session until one of those conditions exist.

Question 2
What is the reasoning being a 5 minute grace period - the documentation does not state the reason. Is this configurable?

I tend to have my machine sleep for more than the allotted session timeout so when I return to my machine, it’s already locked but I do remember this feature and enabling and. Reading the doc, I’d have the same conclusion you have.

As for the five minute grace period, let’s use a scenario. I am ssh’ed to a remote machine using OpenZiti. I’m at an office and I need to use the bathroom. I lock my screen, use the toilet and return and unlock my screen all well within the (default) 30 minute session timeout…

When I return and unlock my screen, it’s annoying if all my OpenZiti connections are disconnected. I’ll have to re-establish all of them. Instead, it’s far more friendly to get a warning and put my MFA in, instead of having to re-ssh, or reconnect to sql server or “whatever”. Our first testers hit this exact scenario (we had implemented it as “immediately” at first) so we had to add this short grace period. I don’t think it’s configurable yet.

Make sense?

Yes, I don’t see a big use on the timeout in my scenario. Agreed about having to use a toilet or whatever - and if you are logged in, then it is ass-u-me that it is the same user. However, when un-locking should I then be getting a “hey, you got 5 mins to authenticate or else I’m cutting you off prompt?” I was not getting this.

Issue I see with 5 minutes, if I log in (switch user), then I would assume I have 5 minutes of access before being cut from that service? I understand there are trade-offs - just wanting to understand.

Yes you should. If you’re not seeing that, it’s a bug. I filed MFA Require on Wake / Unlock not showing warning · Issue #594 · openziti/desktop-edge-win · GitHub for that. @jeremy.tellier and @scareything – looks like a bug to try to squash.