MFA Session Cookie (auth0-mf)


This article describes how MFA session cookies work and clarifies whether it is possible to customize how long the lifecycle for the MFA is in the console.


It is not possible to configure the auth0-mf cookie and to set a custom value for the “Remember this device for 30 days” option (7-day inactivity setting).

The MFA session cookie (auth0-mf) has a seven-day inactivity timeout (implemented with a cookie lifetime of seven days) and a maximum sliding expiration lifetime of 30 days. Check out this link for more details.

auth0-mf: MFA cookie - Used to establish the trust level for a given device.

The cookie is set right after the MFA challenge is finished (even when “Remember this device” is checked). It is renewed (with a sliding expiration) when the MFA is signaled as required, either via a Rule/Action or by the “Always on” policy.

Then a renewed auth0-mf cookie will be returned on every /authorize request so that the MFA session which can last up to 30 days.

By default, the tenant has a “persistent” session enabled, so it will NOT kill the cookies when the users close the browser. This includes the MFA cookie.

By default, Auth0 creates a persistent cookie for the user session. If Non-Persistent is selected, the session cookie is invalidated when the browser is closed. If the user simply closes a tab, but the browser process remains running (for example, if other tabs are still open), non-persistent cookies for that tab are usually not cleared. Non-persistent cookies are typically not cleared until the browser process is terminated. So, if the browser process remains running and the user opens a new tab at the application URL, all the previously set cookies are still there. See this link for more details.

However, assuming that the user closes the browser without logging out, the default behaviour of Auth0 is to log them back in automatically. This is because the Auth0 session cookies are persistent. They do not get cleared when the browser process is terminated.

If this cookie gets removed or modified in the browser, then the MFA will be prompted again.

It is possible to set the maximum duration of the Auth0 sign-in session via tenant settings, but it is an imperfect solution. If set to a too low value, then the sign-in session can expire while the user is using the application (causing further authorization requests - for example, obtaining access tokens - to require re-authentication). Setting it too long, and the user will remain signed in.

When MFA is triggered vis Action using below:

api.multifactor -> api.multifactor.enable(provider, options)

The options.allowRememberBrowser is an optional boolean that determines if the browser should be remembered so that the multifactor challenge can later be skipped. Defaults to false. Find more details here.

When MFA is triggered vis Action and the allowRememberBrowser is set to false, it overrides the “remember this device”, and the user will be prompted with MFA every login. See this link for more details.

Is it possible to disable the checkbox that allows the browser to remember the user’s MFA for up to 30 days by using a post-login Action to enforce a custom MFA policy:

exports.onExecutePostLogin = async (event, api) => {
api.multifactor.enable("any", { allowRememberBrowser: false });

Configuring silent Authentication will re-authenticate users without prompting them to log in. It uses a session cookie to determine the user’s identity and does not display any user interaction (such as authentication, consent, or MFA). Find more details here.

A refresh token is used to get a new access token without user interaction. More details can be found here.

Related References