Auth0 Home Blog Docs

How to change skip MFA default period of 30 days to another value if allowRememberBrowser set to true

auth0

#1

We are using silent login, but it fails with MFA turned on. The allowRememberBrowser setting would skip MFA for a period of 30 days, but 30 days is too long and defeats the purpose of having MFA. However, if we could set that value to 5 hours or something similar, then we could use this functionality to solve the ‘Silent Login’ issue. Is there a way to change this settings?

Or is there any other options to make the MFA work with silent login?


#2

The 30 day expiry is not configurable at the moment. You may request such a feature be added at https://auth0.com/feedback


#3

We got the same problem.

@john7 how did you solve your problem? By allowing the 30 day expiry? This post looks solved, but it doesn’t have any real solutions. We don’t see any way to allow silent login with 2FA and a shorter timespan… (eg google authenticator is required once each day)

I created a feedback request to allow the 30 days to be configurable, but that probably won’t be implemented for a while…


#4

Hi Jan, we solved this problem via changing the MFA rules, following are the codes we are using:

Blockquote

function (user, context, callback) {
var TEN_MINUTES = 10601000;

// You can’t have silent login with MFA, so this conditionally disables
// it if you’ve logged in in the last TEN_MINUTES
user.app_metadata = user.app_metadata || {};

if (user.user_metadata && user.user_metadata.mfa_enabled) {
var last_login = user.app_metadata.last_login;

if (!last_login || last_login < (Date.now() - TEN_MINUTES)) {
  user.app_metadata.last_login = Date.now();
  auth0.users.updateAppMetadata(user.user_id, user.app_metadata);
  context.multifactor = {
    provider: 'google-authenticator',
    allowRememberBrowser: false
  };
} 

}

callback(null, user, context);
}

Blockquote


#5

Hi John, thanks for the reply.

We also tried a similar approach as yours. But this has a flaw in it.

The rules are always executed after the pasword login. So the last login time is always set, even if you did not complete the GA. Just a refresh will bypass the 2FA.

Eg in your example, login with password, then you get the GA popup, refresh browser to bypass.

All rules are executed after the password login and seem to configure the GA to run. We found no way to store a variable after the 2FA has been completed successfully. So I don’t see how we can properly use silent login and 2FA with a reasonable timespan for allowRememberBrowser. (30 days is way too long).

Regards,
Jan


#6

It just dawned on me that the allowRememberBrowser and 30 days might actually be the settings of Google Authenticator. So therefor not configurable as long as Google does not allow it.

The problem is actually that we are forced to use silent login with the allowRememberBrowser=true setting. If we could use it without remembering, everything would be ok. Then each time the user logs in, 2FA is used. But the renewal of the JWT token with silent login should be possible without 2FA somehow to be able to make it work.

We will check with our customer to see if the 30 days remember browser is sufficient.

Regards,
Jan


#7

Hi Jan,

Sorry for the late reply. Yes, you are right. There was a flaw with updating the last login timestamp directly in the MFA rules. We changed it to update the value in our applications via an API call in the callbacks method.

Regards,

John