APM: One-Factor for returning users, Two-Factor for first-time

Hi,

 

I have an application that has 2F-Authentication via AD and Google Token. The users log in several times a day and every time the session times out, they need to re-authenticate again with 2F.

 

How would you configure a solution, where you don't have to do the second factor, if the user was logged on e.g. in the last 48h?

 

My idea is to give start the policy with a check for the cookie (iRule event), which checks for the cookie. If there's none, the branch leads you to the 2F-login. After the login, another iRule-Event assigns a cookie, containing the username, and further to the application (SSO).

 

On the next access, the iRule checks again for the cookie - if it's there and still valid (e.g. 24h) - the user is forwarded to the normal 1F-Auth and further to the App-SSO.

 

Would this be a suitable solution for this issue? Has anyone already such an iRule in place? What would be a secure way to configure this?

 

Thanks!