Adjust MFA Remember me cookie expiry

josh.horecny · July 3, 2023, 5:37pm

When using the custom MFA widget, you cannot change the expiry time of the remembered device cookie. According to the documentation (Customize Multi-Factor Authentication Pages) a cookie will expire in 7 days even though a user clicked “remember for 30 days”

The time values are for active users. If a user is inactive for a period of seven days or more, their cookie will expire and they will be prompted for MFA on their next login attempt, even if allowRememberBrowser is set to true and it has not been 30 days since their last MFA prompt.

This is perceived as broken for a large number of our users that are being prompted more times than they expect in the 30 day window. Many of our users open tickets complaining that they remembered their device last week and they are being prompted for their MFA code again.

Ideally, tenants can control how long the remembered device cookies is active for, up to a 30 day period.

konrad.sopala · July 4, 2023, 11:51am

Hey there!

Thank you for creating this feedback card! Make sure to upvote it so that it gets as many votes and attract as many community members as possible! We review those feedback cards on a monthly basis and will let you know once we have updates on that front!

jake.oliver · September 12, 2023, 3:38pm

Hi there,

this is an awesome question! Please can the support team make some time to review