Best way of handling 2fa

Heyo folks! I have recently added 2fa into my app and I don’t really want to force users to go through the 2fa process every time. They should have to enter the code only if their device is not recognized. I’ve added an ip check and I’m storing current & previous ips (which get deleted after 30 days of inactivity), but I’m not sure if this is the best approach since IP addresses can change quite frequently.
Is there maybe something else that’s a better approach? Something that lasts longer than an IP address?

Would apprecaite any input!

What are we talking about when you say App?. A mobile app? Then why you don‘t use Face-Id or Touch-Id?
If you talk about a general web application which is used in a Browser, you have to choose.

  1. Your app is working with critical data. So you need the MFA. How long the MFS session should least is also depending on the type of data you store.
  2. you have no critical data. So don‘t bother the user with MFA. They will not thank you for it.

To weaken up the MFA with any trick makes no sense at all.

1 Like

You could generate some random, cryptographically secure, token and store that in the database and drop a cookie with that value. If somebody has that cookie and it’s for the right username, skip 2fa authentication.

Of course, record the end date when the cookie is valid in the database. Don’t rely on the cookie expiration (that can be altered by clients).

1 Like

It’s a web application. Well it’s working with critical data, but I’ve got a lot of feedback from the clients that they don’t want to “enter the code every time they open the app”. I was wondering how google handles that for example, becuase google asks you for a code only when it detects an unusual login, but I don’t know if they run that based on the IP address or something else. I totally agree with you, it doesn’t make sense to weaken MFA, that’s why I’m trying to find something in the middle here

That’s a good idea. I like it more than the IP address. I’ll try that, thanks!