Overview
This aritlce details what are the available methods to invalidate the MFA cookie that gets set when a user clicks the button Remember device for 30 days after completing MFA.
Applies To
- Multifactor Authentication (MFA)
- Cookies
Solution
The primary method to invalidate the MFA cookie that allows a user to bypass MFA is by making a request to this Management API endpoint. Please see Invalidate All Remembered Browsers for Multi-factor Authentication.
If using a Post-Login Action to trigger MFA, there is a slight nuance to the cookie behavior.
Example:
api.multifactor.enable('any', { allowRememberBrowser: false });
By setting “allowRememerBrowser” to false, this produces the following behavior:
- The radio button is no longer rendered during the MFA prompt to allow users to set an MFA cookie.
- Any previously issued MFA cookies will be invalidated when the user is redirected to the MFA step.