Invalidate MFA Browser Cookie

gabriela.pantea · July 30, 2024, 7:48pm

Overview

This aritlce details what are the available methods to invalidate the MFA cookie that gets set when a user clicks the button Remember device for 30 days after completing MFA.

Applies To

Multifactor Authentication (MFA)
Cookies

Solution

The primary method to invalidate the MFA cookie that allows a user to bypass MFA is by making a request to this Management API endpoint. Please see Invalidate All Remembered Browsers for Multi-factor Authentication.

If using a Post-Login Action to trigger MFA, there is a slight nuance to the cookie behavior.

Example:

api.multifactor.enable('any', { allowRememberBrowser: false });

By setting “allowRememerBrowser” to false, this produces the following behavior:

The radio button is no longer rendered during the MFA prompt to allow users to set an MFA cookie.
Any previously issued MFA cookies will be invalidated when the user is redirected to the MFA step.

Topic		Replies	Views
Disable allowRememberBrowser Help mfa , mfa-api	5	403	May 6, 2024
Adjust MFA Remember me cookie expiry Feedback login , mfa-devices	2	1871	September 12, 2023
Inconsistent Behavior when Using "Remember browser" - allowRememberBrowser Flag in Actions Knowledge Articles actions	1	414	March 29, 2024
New API endpoint to reset MFA Cookie released! Announcements api , mfa , management-api , multi-factor	2	5264	September 3, 2019
Reduce the amount of time of Remember browser setting in MFA for testing Knowledge Articles mfa-sms , settings , remember-browser	1	1753	November 10, 2022

Invalidate MFA Browser Cookie

Overview

Applies To

Solution

Related Topics