Enhanced GateKeeper for more seamless auto-logins


We will add a new background 2FA feature for auto-login tokens. When a user comes in through an auto-login token, gatekeeper will try to validate it. If the age is below x minutes, we will also write or refresh a special 2FA token cookie. The purpose of this 2FA token is if the same user comes through with an expired token, we will auto-renew it as long as the 2FA cookie (token) matches their user record. In those cases, we have reasonable certainty that they are the same person and we can renew their token without asking them to click through an email.

If the 2FA token does not exist, or does not match the user, they will see the same message like we see now. They can click a button to receive the re-issue token by email. As long as this happens in less than x minutes, the 2FA token cookie will get written to the browser on that use. And thus, they will not get prompted again in the future.

Note: If the token is older than 30 days.. then it will be expired completely and won't be renewable. I think that condition though should be very rare.

This will make token renewals much easier for users (they won't be pestered to click through an email), and if they do, it is just a one-time thing.


Mark Sauer


Mark Sauer







Fix versions