Authentik bypass MFA in local network
How to Bypass MFA in Local Network Using Expression Policies in Your Authentication Flow
Multi-Factor Authentication (MFA) is a cornerstone of secure authentication flows. However, there are legitimate cases where you may want to skip MFA under trusted conditions — such as when a user is connecting from within a secure, local network. This guide walks you through how to configure a policy-based exemption from MFA based on a user's IP address.
TODOObjective
Enable authentication without MFA when the user is connecting from a private (local) IP address.
Step-by-Step Configuration
1. Access the Admin Console
Log into your system's Admin Console.
1. go to admin
2. goCreate toa customization -> policies
3. create new policy:
3.1Type:Custom Expression policyPolicy
3.2 Name:Click Create New Policy.
Type: Select Expression Policy.
Name: local-network-check
3.3Expression:
return ak_client_ip.is_private
This policy evaluates whether the incoming client IP address is private (i.e., local).
3. Modify the Authentication Flow
Now let’s bind this policy to the authentication process.
Click to flows
4.1the edit default-authentication-flow.
4.2 goGo to stagesthe tabStages tab.
4.3Find and extend the stage default-authentication-mfa-validation.
4.4Click Bind existingExisting policyPolicy:
4.4.1 Select policythe local-network-check policy.
4.4.2 Check negatethe result
box for Negate Result.
✅ By negating the result, you're saying: “Only require MFA if the IP is NOT local.”
Result
Done.With Youthis canconfiguration, nowusers authconnecting from a local/private IP address will bypass MFA, streamlining their login experience while maintaining strong security for all external access.
Notes
Ensure that your network correctly identifies private IPs (10.x.x.x, 172.16.x.x - 172.31.x.x, 192.168.x.x).
This assumes your platform supports the use of ak_client_ip.is_private in localexpression network.policies.