User Being Challenged with MFA Despite Checking "Remember this device for 30 days" Option

Last Updated Aug 28, 2024

Overview

User is being challenged for MFA every week even when checking the “Remember this device for 30 days” option.

Applies To

  • MFA
  • Remember Device

Solution

The MFA session cookie has a seven-day inactivity timeout, implemented with a cookie lifetime of seven days, and a maximum sliding expiration lifetime of 30 days.

When selecting the Remember this device option, the cookie’s lifetime is not extended to 30 days automatically. Instead, it activates a process that will renew the MFA cookie every time the user should be prompted for MFA, until it reaches the 30 days limit.

The cookie is set right after the MFA challenge is finished when Remember this device is checked. The cookie is renewed (sliding expiration) when the MFA is signaled as required, either by an Action or by the Always on policy. Then, a renewed auth0-mf cookie will be returned on every authorize request so that the MFA session can last up to 30 days.

It is important to note that the MFA cookie will only be renewed when the user is (or should be) prompted for MFA. Adding an Action that conditionally skips MFA may result in the user not falling into the MFA required policy, hence the cookie will not be renewed, breaking the Remember this device for 30 days flow.

Another reason this may happen is due to using non-persistent sessions, where there is no way to remember the device for 30 days.

2 Likes