Trusted devices (Remember device with 2FA)

3 min read

If you have 2FA enabled and want to skip the 6-digit code when signing in from your regular computer or phone, tick "Remember this device" - we will not ask for TOTP again for 30 days.

How it works

1. During the first successful 2FA login on the device, tick "Remember this device"
2. We store an HTTP-only cookie in the browser with a signed token (HMAC, cannot be tampered with)
3. On your next sign-in (same browser, same device) we detect this cookie and skip the 2FA step
4. After 30 days the token expires and you have to enter TOTP again

Managing trusted devices

In Settings -> section Security -> Trusted devices you can see the list:

• Device name (derived from the user agent - e.g. "Chrome on Windows 11")
• IP and country of the last sign-in
• Date added and date of last use
• Remove button - revokes trust immediately (the cookie is rejected on the next request)

When to remove a device

• If you signed in on a shared or public computer (cafe, library)
• If you lost or sold the laptop or phone
• If you see a device in the list you do not recognise (check the IP / country)

Security safeguards

• HMAC signature: the token is signed with a server-side secret - an attacker cannot forge a valid cookie without breaking the secret
• HTTP-only: JavaScript on the page cannot read the cookie (protection against XSS exfiltration)
• Secure flag: the cookie is only sent over HTTPS
• Per-account: the token contains the user ID - a cookie stolen from account A will not work on account B
• Auto-expiry: 30 days of validity, after which TOTP is required again
• On password change (via "Forgotten password" or password reset) all trusted devices are removed automatically - an attacker with a stolen cookie can no longer skip 2FA