Auth0 Home Blog Docs

Multifactor authentication prompt is less than 30 days

According to the Auth0 documentation, by default: “The user will be able to decide if they want to skip MFA every 30 days when provider is set to other values”. Moreover, it states “In order to let the user skip MFA, a cookie will be stored in the user’s browser” (see https://auth0.com/docs/multifactor-authentication/custom).

We have had user’s report that they have to perform MFA more frequently than the stated 30 days. Upon investigation, it appears that the auth0 cookie expires only 3 days after visiting the MFA screen. This may be one reason for the reported issue as the cookie expirty is too soon. Is there any possible way to customise the length of time that a user can login without being prompted for MFA?

Hi @travis.1

Do you have an MFA rule or are you using the toggle to force MFA to every user? If the former, can you show what the rule looks like?
What is the tenant name and region?

Hi @nicolas_sabena,
We have a ‘Multifactor-Guardian-Do-Not-Rename’ rule. We force MFA to every user through this rule (no check for the use_mfa flag):

function (user, context, callback) { var MFA_ACTIVATED = true; if (MFA_ACTIVATED) { context.multifactor = { provider: 'guardian', allowRememberBrowser: true, }; } callback(null, user, context); }

Can you please describe how to find the tenant name and region?

The MFA rule looks good.
The tenant name and region can be found at the top-right drop down menu in the dashboard:

Hi @nicolas_sabena, our tenant name is “projectgaia” and region is AU - Developer.

Hi @travis.1 Apologies for not coming back to you earlier, I missed the reply in my inbox.
I checked your tenant and there’s nothing wrong about it. I also tested the flow you mention and couldn’t reproduce.
Your user said 3 days, which is the default duration of the authentication session. Is it possible that what the user meant was that they need to log in every three days? If that’s the case, this is because of the session duration settings. The MFA session of 30 days is independent of that, and should still work even if the authentication session expires.
Also note that the MFA session is handled with cookies, so if the user clears cookies from your Auth0 domain, they’ll need to do the MFA challenge again.