I have an application with 3 groups. I register the user via PHP API insert and assign them to a group based on their options
If a user logs in with a valid username and password they are redirected to the MFA input. But if they click the back arrow on the browser until they get back to my page then refresh, they are logged into the site without having completed the MFA.
Can anyone verify this is happening on other sites, and if not, tell me what setting I may have misconfigured and if so, is there a fix in the pipe for it.
Side note, on MFA it fires EVERY login attempt, is there a way to only have it occur on NEW or unrecognized devices after the initial success?
Bob registers and logs in via PC, he successfully completes MFA
Bob logs in from same PC again, he is asked to MFA (this is not desired)
Bob logs in from Tablet, he is asked for MFA (this is correct, as the device is not known)