2FA seems to have stopped working

Question

We enabled two-factor authentication and, at first, it seemed to be working. However, most of users aren't getting the 2FA prompts any more. Any ideas why?

Answer

Assuming that you haven’t disabled 2FA altogether, this is probably an artifact of Hosted Login’s support for trusted devices. With trusted devices, a user logs on the first time and is required to go through the 2FA process. As part of that process, however, the user can mark their device as a “trusted device.” That means that, for a specified period of time (and under certain conditions) the user is exempt from two-factor authentication: after they log on they’re given an access token and are allowed to bypass the 2FA process. By default, users can go 30 days without having to deal with 2FA; that means they can go quite awhile (like, say, 30 days) without ever being prompted to enter a 2FA access code. (Again, assuming that they are logging on from a trusted device.)

The bottom line? It’s not unusual for users to go through 2FA the first time they log on, then be able to bypass 2FA for weeks at a time.

You say you’re not sure you like that? That’s fine: by adding the authentication.second_factor.trust_device_ttl setting to your application client you can change the 30-day exemption period to something shorter; in fact, by setting authentication.second_factor.trust_device_ttl to 0 you can require users to use 2FA each and every time they log on. See Require 2FA on every login for details.