Invalidate MFA Browser Cookie

Overview

This aritlce details what are the available methods to invalidate the MFA cookie that gets set when a user clicks the button Remember device for 30 days after completing MFA.

Applies To

  • Multifactor Authentication (MFA)
  • Cookies

Solution

The primary method to invalidate the MFA cookie that allows a user to bypass MFA is by making a request to this Management API endpoint. Please see Invalidate All Remembered Browsers for Multi-factor Authentication.

If using a Post-Login Action to trigger MFA, there is a slight nuance to the cookie behavior.

Example:

api.multifactor.enable('any', { allowRememberBrowser: false });

By setting “allowRememerBrowser” to false, this produces the following behavior:

  • The radio button is no longer rendered during the MFA prompt to allow users to set an MFA cookie.
  • Any previously issued MFA cookies will be invalidated when the user is redirected to the MFA step.