Hi @gy.ny-k
Welcome to the Auth0 Community!
I understand that you are seeing a login loop when the " Remember this device " option is enabled for MFA.
This is a known behaviour that occurs due to how the Post-Login Actions interact with application SDKs (like auth0-react or auth0-angular ) during session renewals and subsequent logins, especially if the SDK attempts to renew tokens silently. After the user logs, completes MFA and checks the " Remember this device " option, on subsequent logins the SDK attempts to renew tokens silently (e.g., via getAccessTokenSilently or a refresh token) . Your Post-Login Action runs unconditionally and calls api.multifactor.enable() again and the request is flagged as requiring an MFA challenge.
You should be able to keep allowing your users to checks the " Remember this device " option while fixing the login loop by modifying your Post-Login Action to check whether MFA was already completed or if the request is a silent/refresh-token flow. The following documentation on Silent authentication with Multi-factor Authentication is a great resource in this regard and offer the following Post-Login Action template :
exports.onExecutePostLogin = async (event, api) => {
const authMethods = event.authentication?.methods || []
const completedMfa = !!authMethods.find((method) => method.name === 'mfa')
if (!completedMfa) {
api.multifactor.enable('any', { allowRememberBrowser: true })
}
};
Allow me to also share the following topics and documentation on the matter, which should prove useful depending on your configurations:
- Post-login action and MFA ;
- Repeat prompting when using universal login and multifactor authentication;
- Sessions with Actions.
Hope this helped provide some additional details regarding the behaviour that you are seeing and thank you for reporting this to our end! Please reach out to us for any other issues or requests, we will gladly look into it.
Best regards,
Gerald