When you enable two-factor authentication in Hosted Login the two-factor authentication screen displayed to users (e.g., the authRule_secondFactorLoginCode screen) includes a checkbox labeled Trust this device for future logins:
This checkbox enables users to control (based on limits you set) whether or not they’ll be required to use two-factor authentication on each and every login. From a high-level perspective, the checkbox works like this (don’t worry: we’ll look at two-factor authentication in more detail here):
- If the user does not select the Trust this device for future logins checkbox then, in effect, nothing happens: each time a user is required to log on (at least using this particular device) he or she needs to enter their login credentials and a two-factor authentication access code. No exceptions.
- If the user selects this checkbox, however, then things get a little more interesting. (We should probably clarify that just selecting the checkbox doesn’t do anything. Instead, you must select the checkbox, enter a valid access code, click Continue, and successfully log on. Only then will your device be trusted.)
After a user selects the Trust this device for future logins checkbox (and after he or she successfully logs on), the two-factor authentication time-to-live interval commences. By default, this time interval is set to 30 days; that means that, for the next 30 days, and as long as the user logs on from the same device, he or she does not have to deal with two-factor authentication. For example, suppose User A logs on to your website on Monday, selecting Trust this device for future loginswhen they do. After doing whatever can be done on your website, the user logs out, ending their Hosted Login session.
On Tuesday the user returns to your website and, from the same device they used on Monday, signs in again. As expected (because there isn’t a pre-existing Hosted Login session), the user is presented with the sign-in screen and asked to provide their login credentials:
However, because the user is logging on from a trusted device, he or she is not required to go through the two-factor authentication process. Instead, the user is simply logged on.