fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

[Bug]: MFA Trust tokens only remember first user that logged in

Open JoshTheHero opened this issue 5 months ago • 1 comments

What happened?

When a user does MFA in FusionAuth and checks the Trust this computer for 30 days checkbox, it drops a trust cookie on the browser to let them bypass future MFA challenges. In a scenario when there's multiple users on the same device, the trust cookie does not get overwritten by the last user like I had expected.

Instead, the initial cookie remains, and unless you manually clear the cookie.

No matter how many users login after the first user and complete MFA with the "Trust this computer" checkbox enabled, the trust cookie is not overwritten, and will still only apply to the first user. This is true when all users exist in the same tenant.

If the users are in different Tenants, the trust cookie will get overwritten as expected.

Steps to reproduce:

  1. Have MFA enabled on an Application and have two users with MFA setup
  2. Login with User A into the Application and complete MFA with "Trust this computer" checked
  3. Logout with User A
  4. Login with User B and complete MFA with "Trust this computer" checked
  5. Logout with User B
  6. Login again with User B and this time you will still get prompted for MFA again even though you just went through MFA with the "Trust this computer" checked.

I would expect the last user who logged into override the existing trust cookie for the first user and get a new one, but that does not seem to be the case.

Version

1.57.1

Affects Versions

No response

Alternatives / Workarounds

Have your application or workflow clear the trust cookie manually or during the logout flow so that a new one can be placed by the next user. In general this would be a bad idea because it assumes you know the next user to login will be different than the one that just logged out.

Related

  • https://github.com/FusionAuth/fusionauth-issues/issues/3126

JoshTheHero avatar Jul 31 '25 17:07 JoshTheHero

TBD if this is a bug, or just not working ideal as designed - but we should review this behavior. I am not sure why we would not want to update the existing cookie for the latest user to complete MFA.

I added a link to the related issue for supporting a trust state for multiple users on the same device, but this seems like a security risk. So unless we want to consider that option, perhaps we just need to remove the prior users trust, and update for the current user.

We should probably perform an internal recreate, quickly reviewing this login workflow, it appears we are correctly setting the two factor trust token for each user - unless the API is not returning a twoFactorTrustId which would indicate the user did not select the checkbox to trust the device.

robotdan avatar Oct 09 '25 20:10 robotdan