The requirement is to change the default skip MFA enrolment period (“Remember me for 30 days” period) of 30 days to 14 days.
I tried with the last_login attribute but this got a flaw. The rules are always executed after the password login. So the last login time is always set, even if 2FA is not completed. So a refresh will bypass the 2FA.
function ( user, context, callback ) {
var FOURTEEN = 14 * 24 * 60 * 60 * 1000;
user.app_metadata = user.app_metadata || {};
if (user.user_metadata && user.user_metadata.mfa_enabled) {
var last_login = user.app_metadata.last_login;
if(!last_login || last_login < (Date.now() - FOURTEEN )){
user.app_metadata.last_login = Date.now();
auth0.users.updateAppMetadata(user.user_id, user.app_metadata);
context.multifactor = {
provider: 'any',
allowRememberBrowser: false
};
}
}
callback( null, user, context );
}
Is there a way to change this setting without letting the users bypass the MFA flow?