Currently my company has a policy that allows users to sign in with username, password, and a 2nd factor. Once the user has signed in with the 2nd factor initially, successive attempts do not require a 2nd factor for 30 days(factor lifetime set to 30 days).
I would like to enable webauthn/FIDO2 capability as an option for all users. When enabled factor sequencing I added a chain for Webauthn/fido2. Then I added another chain that allowed password and sms(2nd factor). Everything worked fine for those who have a platform based authenticator, but the users without a PB authenticator are prompted for the 2nd factor(SMS) on every successive login(before they would only be prompted every 30 days when the factor lifetime expires).
Is there some way that I can apply one policy/rule to the entire group that will retain the factor lifetime functionality for those without platform based authenticators, but still allow those who have a platform based authenticator enabled to use passwordless login(webauthn/FIDO2)?
I have also tried a few other configurations such as having a factor chain as the first rule with Webauthn as the only factor chain, and adding the old rule as the second rule. When I do that it requires everyone(Even people without platform based authenticators) to use a platform based authenticator(meaning those without PB authenticator can’t log in).
Any help on this is appreciated as the docs on factor chains are a bit sparse and I am assuming there is a simple way to achieve this that I am overlooking.