Trusted Devices

When MFA is enabled, users can check “Trust this device” after a successful MFA verification. Autentico sets a long-lived cookie on the browser — on future logins from the same browser, the MFA step is skipped automatically.

How it works

User completes MFA successfully
User checks the “Trust this device” checkbox before submitting the MFA form
Autentico creates a trusted_devices record tied to the user and stores a signed token in a cookie
On subsequent logins from the same browser, Autentico finds the cookie, looks up the trusted device record, validates it, and bypasses the MFA challenge

The trusted device token is stored in the trusted_devices table with:

Field	Description
`id`	Opaque token stored in the cookie
`user_id`	User the device is trusted for
`device_name`	User-agent string at trust time
`created_at`	When the device was first trusted
`last_used_at`	Last time the device skipped MFA
`expires_at`	Expiry — after this the device must re-verify MFA

Configuration

Setting	Default	Description
`trust_device_enabled`	`false`	Enable or disable the trusted device feature globally
`trust_device_expiration`	`720h`	How long a trusted device remains valid (e.g. `168h` = 7 days)

Both settings can be overridden per-client. See Per-Client Overrides.

Enabling trusted devices

In the Admin UI: Settings → set trust_device_enabled to true.

Via API:

curl -X PUT https://auth.example.com/admin/api/settings \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"trust_device_enabled": "true", "trust_device_expiration": "720h"}'

Once enabled, a “Trust this device” checkbox appears on the MFA page.

Managing trusted devices

Trusted devices are cleared when:

The device record expires (expires_at passes)
The user explicitly logs out
An admin deactivates the user’s sessions
The background cleanup job removes expired records