Change authentication request frequency

I have an application which uses Auth0 MFA. My code does an POST request to /oauth/token and if the response is an error stating mfa_required i do a POST request to /mfa/challenge to get the otp over email ,In the UI user enters the otp received and logins.

This flow works fine. But every time i logout and login , the otp is required. I want to change the authentication frequency , and and expects Auth0 to remember me for certain time.
Upon reading through the dosc i came arounf the topic Change authentication request frequency , implemented it using allowRememberBrowser: true , But it didn’t worked. Since i am not using the Auth0 flow . How can i implement this feature using the Auth0 api’s. Do i need to call any api so that the cookies are saved in my browser and the next time the authentication is skipped.
Can you please guide me through this .

Hi @aashish,

Welcome to the Community!

Can you post the code to your rule so we can take a look?

function (user, context, callback) {

  var CLIENTS_WITH_MFA = ['<<CODE>>'];
   if (context.protocol === 'oauth2-refresh-token'){
    return callback(null, user, context);
  // run only for the specified applications
  // if (CLIENTS_WITH_MFA.indexOf(context.clientID) !== -1) {
    // uncomment the following if clause in case you want to request a second factor only from user's that have user_metadata.use_mfa === true
    if (user.user_metadata && user.user_metadata.use_mfa){
      context.multifactor = {
        provider: 'any',
        allowRememberBrowser: true

  callback(null, user, context);

Wanted to know how can i skip auth , and allow Auth0 to remember my browser by using the Auth0 api’s

Is the user.user_metadata.user_mfa conditional being met?

Also, you should use app_metadata for this flag, as it is considered access information:

Using that flag should allow that to happen.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.