[GH-ISSUE #169] Don't ask for 2FA code every time #78

New issue

Closed

opened 2026-02-25 20:32:21 +03:00 by kerem · 3 comments

kerem commented

2026-02-25 20:32:21 +03:00

Owner

Originally created by @pdolinaj on GitHub (Jun 28, 2021).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/169

I'm not sure whether this is bug or a feature requirement but in many 2FA implementations user can select "Don't ask for 2FA code for XXX days." and then after we enter the 2FA once successfully, the app won't ask us to enter it for XXX days again. Can this be achieved with this app?

Originally created by @pdolinaj on GitHub (Jun 28, 2021). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/169 I'm not sure whether this is bug or a feature requirement but in many 2FA implementations user can select "Don't ask for 2FA code for XXX days." and then after we enter the 2FA once successfully, the app won't ask us to enter it for XXX days again. Can this be achieved with this app?

kerem closed this issue

2026-02-25 20:32:22 +03:00

kerem commented

2026-02-25 20:32:22 +03:00

Author

Owner

@marcinlawnik commented on GitHub (Jun 28, 2021):

This is something you have to implement yourself, by saving last successful 2FA attempt time and then checking whether the time has passed. It can be achieved with this library. This is a library, not a ready app ;)

@marcinlawnik commented on GitHub (Jun 28, 2021): This is something you have to implement yourself, by saving last successful 2FA attempt time and then checking whether the time has passed. It can be achieved with this library. This is a library, not a ready app ;)

kerem commented

2026-02-25 20:32:22 +03:00

Author

Owner

@zyglobe commented on GitHub (Sep 1, 2021):

Just to add to that, usually implementations will try to pair a fingerprinted device to the 'remembered' user so that there are assurances that you're not allowing a bad actor to log in with your password from another device and not get prompted for MFA.

@zyglobe commented on GitHub (Sep 1, 2021): Just to add to that, usually implementations will try to pair a fingerprinted device to the 'remembered' user so that there are assurances that you're not allowing a bad actor to log in with your password from another device and not get prompted for MFA.

kerem commented

2026-02-25 20:32:22 +03:00

Author

Owner

@antonioribeiro commented on GitHub (Sep 1, 2021):

I believe this what the "remember me" (Laravel example) feature does, nor not? Authenticated user is tied to an encrypted token, stored on a cookie on each device. Any attempt to mess with the cookie destroys it and logoff the user.

And, yes, as @marcinlawnik said, this package cannot be responsible for anything beyond the generation and checking of one time passwords.

@antonioribeiro commented on GitHub (Sep 1, 2021): I believe this what the ["remember me" (Laravel example)](https://laravel.com/docs/8.x/authentication#remembering-users) feature does, nor not? Authenticated user is tied to an encrypted token, stored on a cookie on each device. Any attempt to mess with the cookie destroys it and logoff the user. And, yes, as @marcinlawnik said, this package cannot be responsible for anything beyond the generation and checking of one time passwords.

kerem referenced this issue

2026-02-25 20:32:36 +03:00

[PR #78] [MERGED] Apply fixes from StyleCI #145

kerem referenced this issue

2026-03-01 17:49:27 +03:00

[PR #78] [MERGED] Apply fixes from StyleCI #381

kerem referenced this issue

2026-03-14 12:16:00 +03:00

[PR #78] [MERGED] Apply fixes from StyleCI #611