Feature: Maintaining “Remember this Device” support with non-persistent sessions
Description: It seems feasible that Auth0 should allow the two things to work simultaneously:
- “Non-Persistent Sessions” such that when the user closes the browser all cookies except the
auth0-mf
cookie are invalidated. - “Remember this Device for 30 days” such that even if the user closes the browser and opens our application, they aren’t prompted for MFA again.
Use-case: We want the added security bonus of “Non-Persistent Sessions” while still getting the ease-of-use for users of allowing for the device to be remembered such that users are not challenged for MFA on subsequent logins.