Controlling MFA Expiration Time

We have configured our app’s refresh tokens with 12 hour lifetimes. After 12 hours of inactivity we want the user to be signed out. This has been working fine for us for some time now.

Recently we gave our users the option to use MFA. When the user opts into MFA, we have an Auth0 rule that turns MFA on for that user (i.e. it configures adaptive or always-on MFA based on the user’s choice). Note that in our tenant we have only configured One-time Password and Recovery code as factors.

We are finding that users who log in with MFA are being treated as signed out after about 2 hours of inactivity. More specifically, they can log in fine, but if they sit idle for a couple of hours, the next time we attempt to get an access token, getTokenSilently will fail with a “Multifactor authentication required” error. At this point the user has to log in again.

Obviously these users expect to have the same session times as non-MFA users.

I do not see a way to control this in the tenant portal, nor do I see anything in the forums about being able to configure the expiry on MFA. Hopefully I’m just missing something.

Support pointed me to this guidance: How to bypass MFA for refresh token requests?.

This solved our problem with refresh when MFA was enabled.

1 Like