Azure AD B2C Multi-Factor Authentication Remember Device

Question

I'm trying to configure my Active Directory B2C web app to remember a device after a user has gone through multi-factor authentication.

Currently, each time a user logs in, they are prompted to complete MFA regardless if whether they've just logged in and out.

I know there is a configuration option with non-B2C tenants to set up device remembering, but I haven't been able to figure out how to do this with a B2C tenant.

Answer 1

I ended up creating two sign-in policies. One with MFA and the other one without MFA.

I would initially guide the user through the non-MFA sign in policy and when they were redirected back to my site, I would check for a unique user-specific cookie with a unique user-specific encrypted value I would create for them signaling if they had passed through MFA within the past 14 days. If they didn't have this cookie I found out I could then pass the user to the MFA sign-in policy and it would skip straight through to the MFA portion. Once the user was successful in completing this step, I would create a cookie signaling their successful MFA and set it to expire in 14 days.

Of course you also need handling for cancellations during the MFA sign-in step so you can sign out the user on your website and have other checks in case they opened another tab and went back to your site (since they are technically logged in at this point) to prevent non-MFA approved users from having access.

Answer 2

You could use multiple policies and create a cookie to accomplish this. For example, you could create two nearly identical sign-in policies one of which has multi-factor authentication turned on and the other has it turned off. When the user attempts to log in, check for the cookie. If it doesn't exist, use the multi-factor authentication enabled policy (and vice versa). When the user is successfully authenticated check for the cookie, create it if it doesn't exist, and set it to expire whenever you want it to (e.g. after 14 days).