2FA for untrusted IPs or browsers only

It is great that we have 2FA available for all Mastodon users - Definitely needed!

However, we all have to deal with many MFA requests every day throughout our digital lives, which for some of us creates MFA fatigue.

To ease the burden on everyone and boost MFA adoption I’d like to make the following suggestions:

1. Remember a trusted browser for 30 days
To implement this you’d need to put a cookie with some crypto on the browser and keep track of it on the server, so that the user can declare a browser as not trusted anymore.

2. Allow the user to add trusted IPs
Many of us login to Mastodon from places that we are often (like our workplace) that have a static public IP. It would be fantastic, if the user could add IP addresses to the list of trusted IPs, so Mastodon doesn’t ask for 2FA when user logs in from that IP.

do users often log out of their sessions but still want to store MFA cookies? I feel like the intersection between the two is rather small… Mastodon doesn’t ask you to periodically re-auth like other services do, so i generally go 3 to 6 months without typing in my 2fa code

There are certainly use cases (although few) that force users to logout - Using a shared (but trusted) computer is an example.