This update adds options to allow users to skip 2FA on trusted devices, a “Stay signed in” checkbox, "Last used" labels on social SSO buttons, and improvements to the Admin API.
A new device trust feature offers users the option of not having to perform 2FA again for a certain period of time after successful 2FA. Administrators can determine whether device trust should be established automatically, or whether the user should be asked whether they trust the device, or whether trusted devices should never be allowed and 2FA should always be enforced.
This new option can be used to control whether a persistent cookie or a session cookie should be issued when the user is logging in. Persistent cookies (default) remain valid for the set session duration, i.e. the user remains logged in even if the browser is closed. Session cookies are usually deleted when the browser or browser tab is closed, so users have to log in again the next time they visit the app. A third option adds a “Stay signed in” checkbox to the login screen, which allows the user to determine the type of cookie themselves.
Social SSO buttons (e.g., "Sign in with Google") now display a "Last used" label to help users remember which provider they chose on their last visit and avoid creating redundant accounts. Note that active Account Linking still allows users to change the login method to some extent, but only if the email address matches.
The Admin API has been extended with the following new endpoints:
User import functionality has been improved. Now, more user data and credentials can be imported, e.g.:
