Hi,
We have set up MFA to all the users when they log in, and enabled the OTP (One Time Password).
What we want to do is change the OTP from the default 30 days login to a single day, so that every day when a user logs in, they need to provide OTP again.
I know this functionality was not available to configure a few years ago (based on this threat) but was wondering if this was changed and is now available?
Sorry for the delay in response. Yep managed to find discuss it with one of the colleagues:
acr_values parameter when sending authorize can be used for force MFA, or a rule to change allow remember browser, it can’t be extended beyond the 30 days though
Hi @konrad.sopala , thanks for getting back to me!
So my understanding is that I can either use a rule to enable mfa for clients that log in, or send acr_values to my /authorize endpoint, which tells the system that I want to force current user to log in with MFA.
Also, I understand that using the rememberBrowser:false will make the MFA work on every log in.
What I’m looking for is not to extend the 30 days of MFA, but rather reduce it to 1 day.
using acr_values or rememberBrowser:false will mean that I am forcing my users to use MFA on every single login, meaning that can happen multiple times a day - where I want to enable it to work only once a day.
Based on what I am reading from you, that number isn’t configurable at the moment? It’s either every login, or 30 days, correct?