Set an expiration policy (timeout) for MFA

Feature name

  • Max session length for sessions where “remember me” is checked

Feature function

With MFA set up to authenticate to the LastPass app, my session would expire after 1 month. I’m more comfortable with this setup personally; my work password manager (OneLogin) is even configured to expire after 24 hours. This feels more secure in terms of if the device is compromised.

Would you suggest a fixed timeout duration or user definable?

1 Like

I’d love user definable personally! But I know that’s a larger request. I’d like to at least refresh my MFA every 30 days or so, and I imagine Bitwarden Teams might want to be able to enforce configurable constraints.

My employer’s MFA only lasts 24 hours because it allows us to view private data in production databases. So I have to re-enter my password/MFA once a day, and that seems like a reasonable restriction. I wouldn’t really like the inconvenience of doing that every single day with my personal stuff, but the option to make it more strict or relaxed would be cool.

1 Like

I think this would be a good feature. Xero (the accounting software) has a “remember this device for 30 days” function, which effectively bypasses 2FA for that device only for 30 days. That may be too long for a password manager, but the idea is the same. I think it’s a nice balance between having 2FA and not being bothered by it all the time.