MFA with OTP does not work properly when unchecking "Remember this device for 30 days"

kenta-endo · December 22, 2021, 7:42am

We have been using MFA along with default settings (so set allowRememberBrowser to false ).
It worked fine at the time, but to input OTP every time would be a hassle for users,
so we try setting it to allowRememberBrowser: true.

The authentication succeeds if checking “Remember this device for 30 days” in the OTP screen.
However, if unchecking it, user cannot be authenticated. (We got “isAuthenticated = false” in our code with auth0-react after redirecting to our application.)

I tried the setting back to allowRememberBrowser: false, but the same problem occurred. (In other words, it doesn’t work properly until checking “Remember this device for 30 days”, so we have to set allowRememberBrowser to true).

I can’t figure out what the problem is.
How do we fix this?

library version:
auth0-react: 1.5.0

pedro.vicente · June 28, 2022, 2:11pm

I’ve found the same behaviour and we can’t log in with MFA unless we check “Remember this device for 30 days", otherwise login with MFA doesn’t work and send you back to the login page.

This issue has been open since Dec’21, do you have any update or how to fix it?

JanBlaha · July 3, 2022, 2:26pm

I have observed the same issue.

Currently using auth0-react: 1.9.0 with react 18.2.0;
I have a React app with an Auth0 login management using only Google Workspace connection. 2FA is currently enforced (email or authenticator). When the ‘remember’ checkbox is left unchecked on login, the user is redirected back to login after what seems of about 0.5 sec of being logged in. This loop persists until the checkbox is checked at which point the app starts behaving as expected.

nathan.jenkins · July 8, 2022, 1:48pm

Hi all,

I believe this question has been answered on another thread here.

Go to your Auth0 tenant dashboard, MFA options, select “Never” instead of “Always”
Let us know if that resolves your issue.

ben19 · October 17, 2022, 3:34pm

I have Never selected and still have a loop where I have to continuously enter a new OTP but never login

zeebhombal · November 7, 2022, 8:17am

How is that a solution? If I require users to have 2FA enabled does that mean they will constantly be logged out unless they choose the option to ‘Remember device for 30 days’ ?
That doesn’t really make it an option then does it?

idankrayon · November 8, 2022, 2:40pm

@nathan.jenkins do we a solution for this? Shutting the 2FA/MFA off is not a solution at all.

janson · May 9, 2023, 6:33am

I was running into the infinite loop issue until I added the completedMfa check, as I gleaned from the thread’s OP

function multifactorAuthentication(user, context, callback) {
  if (user.app_metadata.enforce_mfa) {
    if (context.protocol === "oauth2-refresh-token") {
      return callback(null, user, context);
    }

    const completedMfa = !!context.authentication.methods.find(
      (method) => method.name === "mfa"
    );

    if (completedMfa) {
      return callback(null, user, context);
    }

    context.multifactor = {
      provider: "any",
    };
  }

  callback(null, user, context);
}

Hope this helps others who ran into a similar issue.

konrad.sopala · May 9, 2023, 10:35am

Thanks a lot for sharing that with the rest of community!

idankrayon · May 9, 2023, 11:17am

Thanks @janson i will try that out!.
Appreciate this

system · May 23, 2023, 11:17am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.