According to the Auth0 documentation, by default: “The user will be able to decide if they want to skip MFA every 30 days when provider is set to other values”. Moreover, it states “In order to let the user skip MFA, a cookie will be stored in the user’s browser” (see Customize Multi-Factor Authentication Pages).
We have had user’s report that they have to perform MFA more frequently than the stated 30 days. Upon investigation, it appears that the auth0 cookie expires only 3 days after visiting the MFA screen. This may be one reason for the reported issue as the cookie expirty is too soon. Is there any possible way to customise the length of time that a user can login without being prompted for MFA?
Do you have an MFA rule or are you using the toggle to force MFA to every user? If the former, can you show what the rule looks like?
What is the tenant name and region?
Hi @travis.1 Apologies for not coming back to you earlier, I missed the reply in my inbox.
I checked your tenant and there’s nothing wrong about it. I also tested the flow you mention and couldn’t reproduce.
Your user said 3 days, which is the default duration of the authentication session. Is it possible that what the user meant was that they need to log in every three days? If that’s the case, this is because of the session duration settings. The MFA session of 30 days is independent of that, and should still work even if the authentication session expires.
Also note that the MFA session is handled with cookies, so if the user clears cookies from your Auth0 domain, they’ll need to do the MFA challenge again.
Hi Nicolas, we still have users reporting problems with the MFA length. We are also wondering if it is possible to customise the length of time before needing to do the MFA challenge again (e.g. 6 months).
Not sure if this was the case then, but I’ve read that the browser cookie for the MFA settings will expire in 7 days the user never logs back into to that device in that time frame. So my understanding is that it will only remember not to prompt for MFA, IF the user is actively using that device.