Thanks for replying.
We found that the allowRememberBrowser=true will behave differently and for non Google Authenticator options will depend on the user to correctly set that checkbox. So it seems unreliable to use.
In addition after some more discussions, we also came to the conclusion that trying to set the allowRememberBrowser is actually a bad thing. Only the user knows if the environment in which he/she works in is safe to remember the browser. So we should never set this by default.
We are also communicating with Auth0 through mail and got a proposed solution by checking context.request.query.prompt !== “none” in the MFA rule. This seemed to work, but after some testing we found that we have a security hole to bypass MFA completely with this scenario:
- we go to our application
- application redirects to Auth0
- login with username/password
- when guardian pops up stop and go back to application url
- application redirects to Auth0
- intercept redirect url and add prompt=none
- MFA is bypassed
So we are back to the drawing board. Hopefully Auth0 will assist us in finding a solution or implementing a new feature.
Kind Regards,
Jan