2024-09-27 Authentik bypass MFA in local network

How to Bypass MFA in Local Network Using Expression Policies in Your Authentication Flow

Multi-Factor Authentication (MFA) is a cornerstone of secure authentication flows. However, there are legitimate cases where you may want to skip MFA under trusted conditions — such as when a user is connecting from within a secure, local network. This guide walks you through how to configure a policy-based exemption from MFA based on a user's IP address.

Objective

Enable authentication without MFA when the user is connecting from a private (local) IP address.

Step-by-Step Configuration

1. Access the Admin Console

Log into your system's Admin Console.

2. Create a Custom Expression Policy

Navigate to:
Customization → Policies

Click Create New Policy.
Type: Select Expression Policy.
Name: local-network-check
Expression:
```
return ak_client_ip.is_private
```

This policy evaluates whether the incoming client IP address is private (i.e., local).

3. Modify the Authentication Flow

Now let’s bind this policy to the authentication process.

Navigate to:
Flows → Default Authentication Flow

Click to Edit the default-authentication-flow.
Go to the Stages tab.
Find and extend the stage default-authentication-mfa-validation.
Click Bind Existing Policy:
- Select the local-network-check policy.
- Check the box for Negate Result.

✅ By negating the result, you're saying: “Only require MFA if the IP is NOT local.”

Result

With this configuration, users connecting from a local/private IP address will bypass MFA, streamlining their login experience while maintaining strong security for all external access.

Notes

Ensure that your network correctly identifies private IPs (10.x.x.x, 172.16.x.x - 172.31.x.x, 192.168.x.x).
This assumes your platform supports the use of ak_client_ip.is_private in expression policies.