Overview
This article clarifies what is the actual duration for the New Universal Login MFA timeout duration from landing to MFA screen.
Applies To
- Multifactor Authentication (MFA)
- New Universal Login MFA
Solution
The MFA challenge screen for New Universal Login, located at the URL https://{auth0_domain}.{region}.auth0.com/u/mfa-otp-challenge?state=... has a 10 minute timeout, which is non-configurable.
- When 10 minutes have elapsed, a redirection to the application’s callback URL will occur with a querystring parameter with the error Transaction has expired appended.
- If the application in question has a default login URL configured, then that will be used instead of the callback URL.
NOTE: This timeout is specific to the MFA challenge screen and should not be confused with the overall login session transaction or the expiry for an Email or SMS code. The overall login transaction session expiry is 1 hour, unless the corresponding Auth0 tenant’s ‘Maximum Session Timeout’ is configured to a value lower than that. For codes resulting from an SMS or Email MFA enrollment, the code validity itself is 5 minutes and will return an error directly in the MFA widget, allowing users to resend a code.