Configurable Trusted Devices and Optional Step-Up Authentication for 2FA

Add a “Trust this device” checkbox directly below the 2FA input during login, allowing users to mark a device as trusted for a defined period. When selected, the system should suppress repeated 2FA prompts on that device until the configured trust period expires.

The trusted device duration should be configurable globally and per user, with a default of 30 days. This reflects common industry practice and significantly improves day-to-day usability. The setting should also be configured separately for the customer portal and the admin/backend area, since both environments may require different security policies. In addition, the feature should be fully disableable, allowing administrators to enforce 2FA on every login if required.

This is important because repeatedly forcing users to re-enter 2FA codes—sometimes multiple times per day, even after only short breaks—creates unnecessary friction and disrupts normal workflows. On already known and trusted devices, this does not provide meaningful additional value in most cases, but it does create avoidable frustration.

To maintain a high level of security for sensitive operations, the system should also support optional step-up authentication for critical backend areas. This means that even if a user is already logged in and using a trusted device, access to specific sections—such as security settings, billing, customer management, or other privileged actions—can still require an additional 2FA challenge or password confirmation.

Ideally, this should be dynamically configurable, so administrators can define which backend areas require additional authentication before access is granted. Once the user has successfully completed that additional verification, the elevated authentication state should remain valid for a limited period, such as 1 hour, to avoid repeated prompts during the same work session.

This approach provides a practical balance between security and usability: trusted devices reduce unnecessary authentication friction in daily use, while optional step-up authentication keeps protection high where it actually matters.

Thanks for implementing this and making daily operations a lot less painful.

Right now, 2FA without a proper trusted-device flow feels a bit like: “Congratulations, you already proved who you are. Please do it again. And again. And just once more for morale.”