Multi-factor authentication prompt loops on mobile devices for time and attendance clock-in causing missed punches

Our field employees are experiencing an MFA prompt loop when trying to clock in using the JDE mobile app for time and attendance. Here’s what happens: employee opens the app, enters credentials, receives MFA push notification, approves it, then immediately gets prompted for MFA again. This loop continues indefinitely and they can’t complete the clock-in.

The error in the mobile app log shows:

MFA validation successful
Session token received
Redirecting to clock-in screen...
Session expired - MFA required

This is causing missed punches because employees give up after 2-3 MFA attempts. We’ve had about 30 missed punch corrections in the last week alone. The issue seems to affect both iOS and Android devices, but only for the mobile clock-in function. Desktop users aren’t experiencing any MFA problems. Running JDE 9.2.2 with Duo Security for MFA. Anyone solved this mobile-specific MFA loop issue?

Another thing - check if your clock-in application is configured to require a new session for each punch. Some organizations set this for security, but it conflicts with MFA workflows. We changed our clock-in app to maintain the session for the entire shift (8-10 hours) which eliminated the repeated MFA prompts for lunch breaks and end-of-shift punch-outs.

In Duo, you need to configure the JDE mobile app as a ‘Trusted Application’ and enable the ‘Remember Device’ policy. This allows the device to be trusted for a specified period (we use 30 days) after successful MFA, so users only authenticate once per month instead of every clock-in. You’ll also need to update your mobile app configuration to store the device trust token securely in the device keychain.

Excellent troubleshooting. Let me provide a comprehensive solution addressing all three focus areas:

MFA Prompt Loop Resolution: The loop is caused by session/token timing mismatches. Implement these fixes:

1. Mobile Session Configuration:

   • Extend mobile app session timeout to 300 seconds (5 minutes) minimum
   • Configure session refresh token with 12-hour validity
   • Enable background session persistence (allows app to maintain session when backgrounded during MFA)
   • Set MFA completion grace period: 120 seconds after authentication before session validation

2. Duo Security Integration Settings:

   • Create dedicated Duo application policy for JDE Mobile Time & Attendance
   • Enable ‘Trusted Device’ feature with 30-day trust period
   • Configure device fingerprinting to recognize returning devices
   • Set MFA token validity to 600 seconds (longer than session timeout)
   • Enable ‘Automatic Push’ for trusted devices (reduces click steps)

3. Mobile App Authentication Flow:

   • Modify authentication sequence: credentials → session creation → MFA validation → session activation
   • Implement token caching: store MFA token in secure device storage
   • Add retry logic with exponential backoff if session validation fails
   • Configure heartbeat mechanism: app pings server every 60 seconds to keep session alive during MFA

Mobile Clock-In Functionality: Optimize the clock-in workflow to prevent punch failures:

1. Session Management for Clock-In:

   • Implement shift-based session: session remains valid for entire scheduled shift (8-12 hours)
   • Configure ‘Quick Punch’ mode: after initial MFA, subsequent punches within shift don’t require re-authentication
   • Enable offline punch capability: app stores punch locally if session/network issues occur, syncs when reconnected
   • Add session expiry warning: notify user 5 minutes before session expires

2. Network and Performance Optimization:

   • Reduce clock-in API call latency: optimize backend response time to <2 seconds
   • Implement connection pooling for mobile devices
   • Enable HTTP/2 or compression for faster data transfer
   • Add retry mechanism for failed punches with automatic resubmission

3. User Experience Improvements:

   • Add MFA status indicator in app: show ‘Authenticating…’, ‘Validated’, ‘Clock-in Ready’
   • Implement progress feedback during MFA process
   • Enable biometric authentication as MFA alternative (fingerprint/face ID)
   • Create ‘Emergency Clock-In’ mode: allows punch with supervisor approval if MFA fails

Punch Failure Prevention: Ensure reliable punch recording:

1. Implement comprehensive offline mode:

   • App stores punches locally in encrypted storage
   • Auto-sync when connection restored
   • Visual indicator showing punch is queued for sync
   • Notification when punch successfully synced to server

2. Monitoring and Alerts:

   • Real-time dashboard showing MFA failure rates by device type
   • Alert HR when employee has 2+ failed punch attempts
   • Track session timeout patterns to identify configuration issues
   • Generate daily report of missed punches with root cause analysis

3. Fallback Mechanisms:

   • Enable SMS-based MFA as backup when push notifications fail
   • Provide web-based clock-in portal accessible from mobile browser
   • Create supervisor override capability for emergency situations
   • Implement grace period punch corrections: employees can add missed punch within 2 hours without approval

4. Testing and Validation:

   • Test MFA flow under various network conditions (4G, WiFi, poor signal)
   • Validate session persistence when app is backgrounded/foregrounded
   • Verify token refresh logic works correctly
   • Load test with concurrent users during shift change times

Implementation Priority:

1. Immediate: Extend session timeout to 300s, enable Duo trusted device policy
2. Week 1: Implement shift-based sessions and offline punch capability
3. Week 2: Configure heartbeat mechanism and session expiry warnings
4. Week 3: Deploy monitoring dashboard and failover mechanisms
5. Week 4: Roll out biometric MFA and comprehensive testing

This solution eliminates the MFA prompt loop through proper session management, ensures reliable mobile clock-in functionality with offline capability, and prevents punch failures through redundant mechanisms and proactive monitoring.

I’ve extended the mobile session timeout to 240 seconds and working with our security team to configure the Duo trusted application policy. Testing with a small group of employees tomorrow. Will update with results.

Good suggestions. Our mobile session timeout is set to 90 seconds which might be too short. The MFA process typically takes 30-45 seconds, but if there’s any network latency it could exceed the 90-second window. I don’t see a ‘Remember Me’ option in our Duo policy for the mobile app - is that a specific policy type I need to create?