User Being Challenged with MFA Despite Checking "Remember this device for 30 days" Option

Last Updated Jun 26, 2024

Problem Statement

One of the users is being challenged by MFA every week even when checking the “Remember this device for 30 days” option.

Solution

The MFA session cookie has a seven days inactivity timeout (implemented with a cookie lifetime of seven days) and a maximum sliding expiration lifetime of 30 days. The cookie is set right after the MFA challenge is finished, when the “Remember this device” is checked. The cookie is renewed (sliding expiration) when the MFA is signaled as required, either in a rule or by the “Always on” policy. Then a renewed auth0-mf cookie will be returned on every /authorize request so that the MFA session can last up to 30 days.

We have guidance on how to skip the MFA requirement under certain circumstances. For example, the “Require MFA once per session” rule has this logic:

function requireMfaOncePerSession(user, context, callback) {
  let authMethods = [];
  if (context.authentication && Array.isArray(context.authentication.methods)) {
    authMethods = context.authentication.methods;
  }

  const completedMfa = !!authMethods.find((method) => method.name === 'mfa');

  if (completedMfa) {
    return callback(null, user, context);
  }

  context.multifactor = {
    provider: 'any',
    allowRememberBrowser: false
  };

  callback(null, user, context);
} 

While the default rules say allowRememberBrowser: false, customers might use allowRememberBrowser: true. Effectively having something like this:

function requireMfaOncePerSession(user, context, callback) {

  if (mfaIsNotRequiredThisTimeForWhateverReason) {
    return callback(null, user, context);
  }

  context.multifactor = {
    provider: 'any'
    allowRememberBrowser: true
  };

  callback(null, user, context);
}

What happens here is that as long as the condition is met, the context.multifactor.provider = 'any' assignment won’t occur. Because of this, the MFA session will not be renewed and will only last seven days.

Another reason this could happen is due to using non-persistent sessions, where there is no way to remember the device for 30 days. To suggest this functionality in a future release of Auth0, please submit a feature request using the Product Feedback form. More information about this process can be found at How do I submit Product feedback or feature requests?.

2 Likes