Auth0 Home Blog Docs

Multifactor authentication prompt is less than 30 days

According to the Auth0 documentation, by default: “The user will be able to decide if they want to skip MFA every 30 days when provider is set to other values”. Moreover, it states “In order to let the user skip MFA, a cookie will be stored in the user’s browser” (see https://auth0.com/docs/multifactor-authentication/custom).

We have had user’s report that they have to perform MFA more frequently than the stated 30 days. Upon investigation, it appears that the auth0 cookie expires only 3 days after visiting the MFA screen. This may be one reason for the reported issue as the cookie expirty is too soon. Is there any possible way to customise the length of time that a user can login without being prompted for MFA?

Hi @travis.1

Do you have an MFA rule or are you using the toggle to force MFA to every user? If the former, can you show what the rule looks like?
What is the tenant name and region?

Ni @nicolas_sabena,
We have a ‘Multifactor-Guardian-Do-Not-Rename’ rule. We force MFA to every user through this rule (no check for the use_mfa flag):

function (user, context, callback) { var MFA_ACTIVATED = true; if (MFA_ACTIVATED) { context.multifactor = { provider: 'guardian', allowRememberBrowser: true, }; } callback(null, user, context); }

Can you please describe how to find the tenant name and region?