It appears that the mfa cookies, auth0-mf and auth0-mf-compat, share the same tenant “Session Expiration” settings as the normal login session’s cookies, presumably auth0 and auth0-compat.
For example, we have these settings set in our Auth0 tenant “Session Expiration” settings:
We’ve set these as this is how we want our normal login session to behave. Importantly, we wish it be non-persistent (session will expire when the browser is closed).
The issue is that this non-persistent session is also getting applied to the MFA cookie as well. On the MFA page there is a setting to “Remember this device for 30 days”
Because we have our “Session Expiration” settings set to “Non-persistent”, our MFA cookie is non-persistent as well, meaning the device is being “forgotten” when the browser is closed, and not after 30 days, essentially defeating the purpose of the checkbox.
We’d like to be able to manage these cookies separately, where we can have our login session be non-persistent, while our MFA cookie is persistent.
Is this possible?
The best reference I could find, although it does not answer this question: MFA Session Cookie (auth0-mf)