Behavior of the allowRememberBrowser Option When Using api.multifactor.enable in Actions

auth0.knowledge2 · June 20, 2025, 6:49pm

Overview

This article explains why a user’s browser may not be remembered, requiring the user to perform Multifactor Authentication (MFA) multiple times per session when using api.multifactor.enable(‘any’) in an Action.

Applies To

Actions
Multifactor Authentication (MFA)

Cause

The allowRememberBrowser parameter, responsible for allowing users’ devices to be trusted for 30 days before requiring a new MFA challenge, is set to false by default.

Solution

To allow the browser to be remembered, the allowRememberBrowser option must be explicitly set to true when calling api.multifactor.enable(), e.g.:

api.multifactor.enable('any', { allowRememberBrowser: true });

More details about this default behavior can be found at Actions Triggers: post-login - API Object.

Topic		Replies	Views
Disable allowRememberBrowser Get Help mfa , mfa-api	5	663	May 6, 2024
Inconsistent Behavior when Using "Remember browser" - allowRememberBrowser Flag in Actions Knowledge Articles actions	1	557	March 29, 2024
Configuring MFA Flow to require MFA once per session with Actions Knowledge Articles mfa , extensibility , actions	1	3029	June 14, 2022
MFA Once Per Session Action Knowledge Articles	1	2249	June 28, 2023
Users Are Not Prompted to Use MFA after Enrolling a Factor Knowledge Articles mfa , rule , prompt , action , remember-device	1	1874	August 30, 2022

Behavior of the allowRememberBrowser Option When Using api.multifactor.enable in Actions

Overview

Applies To

Cause

Solution

Related topics