This article addresses the situation in which Devices are prompted for MFA even though the Remember device option is selected. The short answer is that the device token is not being honored. More details are below.
- Device Token (DT)
- Different DT on each login attempt
- Remember my device
Every request to Okta (or at least to login pages) automatically generates a DT cookie and sends it back to the client if the client has not already sent one in the request. The client needs to treat it like any other cookie and send it back as a cookie on subsequent requests. For most customers, this is the default behavior.
There is nothing special about DT. It is just like any other cookie. However, if a customer wants to manage their own device tokens, trusted apps (apps that provide an authorization token on login requests) can pass any value they choose as the DT and send it in the authentication context, as described in the document. Although they can set anything they want, they should be generating a unique string for each device if they want the features to work properly. How the IDs are created is totally up to the customer. Otherwise, the default cookies provided by Okta should be used.
This can be easily seen by going to any Okta URL and looking at the API response. For example, if going to https://fake.okta.com (a site never accessed before) and looking at the browser's network tools, there should be no DT in the first request under cookies. Then, in the response cookies, a new DT should be seen. In every subsequent request seen after, the same DT cookie is sent. There is no new one in the response cookies.
