Configure Number of Days for "Remember this Device"

Problem Statement

Can the period for “Remember this Device” for one-time code be configured?

Solution

The period for remembering the device is not customizable at the moment. Refer to Customize Multi-Factor Authentication Pages for more details. There is a backlog item to address this feature request. However, there is no ETA yet.

Depending on your business use case, there can be different ways to decide on the MFA frequency.

The last authentication timestamp can be checked by accessing the event.authentication.methods[] object and updating the script for 24 hours validation script (Actions Triggers: post-login - Event Object). The ‘methods’ array will have values as below:

[
  {
    "name": "pwd",
    "timestamp": "2022-02-07T00:22:54.822Z"
  },
  {
    "name": "mfa",
    "timestamp": "2022-02-07T00:28:02.882Z"
  }
]

Here is an example Action that looks at the last time the user completed MFA for their current session to decide whether MFA should be prompted again:

exports.onExecutePostLogin = async (event, api) => {
    var timeDelay = 60*60*1000 //default to 1 hour between MFA challenges
    if (event.user.app_metadata.trigger_mfa) { //Optional - only trigger MFA for users with trigger_mfa app_metadata flag set to true
      if (event.user.app_metadata.MFAdelay) {
        //Override default period between MFA challenges with a value in ms from metadata
        timeDelay = event.user.app_metadata.MFAdelay
      } 
      const mfaTime = event.authentication.methods.find(({name}) => name === "mfa")
      const currentTime = new Date();
      if (mfaTime) {
        console.log("mfaTime found");
        const mfaDateTime = Date.parse(mfaTime.timestamp);
        console.log("Elapsed time since last MFA:",currentTime - mfaDateTime);
        if (currentTime - mfaDateTime < timeDelay) {
          console.log("Insufficient time since last prompt for MFA")
        } else {
          console.log("Last MFA auth was over timeDelay, force MFA prompt")
          api.multifactor.enable("any",{allowRememberBrowser:false});
        }
      } else {
        console.log("No previous mfa record found for session, prompting for MFA")
        api.multifactor.enable("any",{allowRememberBrowser:true});
      }

    }
};

NOTE: This sample is provided as a starting point and should not be considered production-ready. Please test thoroughly before applying to a production environment.

NOTE: As the sample stands currently, this will be tied to the user’s session lifetime, so custom MFA delays beyond the tenant’s absolute session lifetime limit will not be possible. Refer to Configure Session Lifetime Settings.