Currently, there does not seem to be any feature built-in in which devices are fingerprinted (uniquely tracked) and actioned upon (i.e., forcing MFA) based on risk factors such as sign-in location, device identity, etc. Ideally, devices could be fingerprinted so that users could choose, upon sign-in, to "mark" that device to not be prompted for MFA (per Application) during future login sessions, OR to opt-in to force MFA for future login session (per Application). There should be a configuration option to allow administrators to decide whether to allow users to be able to make the decision to opt-in or opt-out of MFA. Similarly, there should be a configuration option to turn on device fingerprinting and actioning.
This would be a beneficial feature as this would allow users to be able to control the security of their account more (by way of opting in to forced MFA). This would additionally allow "smarter" MFA prompts that the system could enforce when there is a higher sign-in risk for a particular session, such as when it is from an unfamiliar device.
Do not place IBM confidential, company confidential, or personal information into any field.