Skip to content

Trusted Devices

When MFA is enabled, users can check “Trust this device” after a successful MFA verification. Autentico sets a long-lived cookie on the browser — on future logins from the same browser, the MFA step is skipped automatically.

  1. User completes MFA successfully
  2. User checks the “Trust this device” checkbox before submitting the MFA form
  3. Autentico creates a trusted_devices record tied to the user and stores a signed token in a cookie
  4. On subsequent logins from the same browser, Autentico finds the cookie, looks up the trusted device record, validates it, and bypasses the MFA challenge

The trusted device token is stored in the trusted_devices table with:

FieldDescription
idOpaque token stored in the cookie
user_idUser the device is trusted for
device_nameUser-agent string at trust time
created_atWhen the device was first trusted
last_used_atLast time the device skipped MFA
expires_atExpiry — after this the device must re-verify MFA
SettingDefaultDescription
trust_device_enabledfalseEnable or disable the trusted device feature globally
trust_device_expiration720hHow long a trusted device remains valid (e.g. 168h = 7 days)

Both settings can be overridden per-client. See Per-Client Overrides.

In the Admin UI: Settings → set trust_device_enabled to true.

Via API:

Terminal window
curl -X PUT https://auth.example.com/admin/api/settings \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"trust_device_enabled": "true", "trust_device_expiration": "720h"}'

Once enabled, a “Trust this device” checkbox appears on the MFA page.

Trusted devices are cleared when:

  • The device record expires (expires_at passes)
  • The user explicitly logs out
  • An admin deactivates the user’s sessions
  • The background cleanup job removes expired records