When using the custom MFA widget, you cannot change the expiry time of the remembered device cookie. According to the documentation (Customize Multi-Factor Authentication Pages) a cookie will expire in 7 days even though a user clicked “remember for 30 days”
The time values are for active users. If a user is inactive for a period of seven days or more, their cookie will expire and they will be prompted for MFA on their next login attempt, even if
allowRememberBrowser
is set totrue
and it has not been 30 days since their last MFA prompt.
This is perceived as broken for a large number of our users that are being prompted more times than they expect in the 30 day window. Many of our users open tickets complaining that they remembered their device last week and they are being prompted for their MFA code again.
Ideally, tenants can control how long the remembered device cookies is active for, up to a 30 day period.