Problem Statement
Users are challenged with MFA after seven days even if they check the "Remember this device for 30 days" option.
Solution
The MFA session cookie has a seven days inactivity timeout (implemented with a cookie lifetime of seven days) and a maximum sliding expiration lifetime of 30 days. The cookie is set right after the MFA challenge is finished, when the “Remember this device” is checked. The cookie is renewed (sliding expiration) when the MFA is signaled as required, either in a rule or by the “Always on” policy. Then a renewed auth0-mf cookie will be returned on every /authorize request so that the MFA session can last up to 30 days.
We have guidance on how to skip the MFA requirement under certain circumstances. For example, the “Require MFA once per session” rule has this logic:
function requireMfaOncePerSession(user, context, callback) {
let authMethods = [];
if (context.authentication && Array.isArray(context.authentication.methods)) {
authMethods = context.authentication.methods;
}
const completedMfa = !!authMethods.find((method) => method.name === 'mfa');
if (completedMfa) {
return callback(null, user, context);
}
context.multifactor = {
provider: 'any',
allowRememberBrowser: false
};
callback(null, user, context);
}
While the default rules say allowRememberBrowser: false, customers might use allowRememberBrowser: true. Effectively having something like this:
function requireMfaOncePerSession(user, context, callback) {
if (mfaIsNotRequiredThisTimeForWhateverReason) {
return callback(null, user, context);
}
context.multifactor = {
provider: 'any'
allowRememberBrowser: true
};
callback(null, user, context);
}
What happens here is that as long as the condition is met, the context.multifactor.provider = 'any' assignment won’t occur. Because of this, the MFA session will not be renewed and will only last seven days.