How to change MFA-OTP default 30 days login time?

We have set up MFA to all the users when they log in, and enabled the OTP (One Time Password).
What we want to do is change the OTP from the default 30 days login to a single day, so that every day when a user logs in, they need to provide OTP again.

I know this functionality was not available to configure a few years ago (based on this threat) but was wondering if this was changed and is now available?


Hey there!

Great question! Not sure about this one but let me research that for you and get back to you as soon as I have news to share!

1 Like

Hello @konrad.sopala
Was just wondering if you have any updates on this?


Hey there!

Sorry for the delay in response. Yep managed to find discuss it with one of the colleagues:

acr_values parameter when sending authorize can be used for force MFA, or a rule to change allow remember browser, it can’t be extended beyond the 30 days though

1 Like

Hi @konrad.sopala , thanks for getting back to me!
So my understanding is that I can either use a rule to enable mfa for clients that log in, or send acr_values to my /authorize endpoint, which tells the system that I want to force current user to log in with MFA.
Also, I understand that using the rememberBrowser:false will make the MFA work on every log in.

What I’m looking for is not to extend the 30 days of MFA, but rather reduce it to 1 day.

using acr_values or rememberBrowser:false will mean that I am forcing my users to use MFA on every single login, meaning that can happen multiple times a day - where I want to enable it to work only once a day.

Based on what I am reading from you, that number isn’t configurable at the moment? It’s either every login, or 30 days, correct?

Unfortunately yes, that’s the only doable modification at the moment. You can create a feedback topic regarding that in our feedback category: