"Debounce" 2FA Authentication

[Matchlighter]

I'd like to see a way to "remember" a 2FA success for longer periods. I only want my session to last a day or so, but I don't want to have to re-2FA every time.

For example, my work uses Okta. I have to sign in by entering my password every day, but I only have to enter a 2FA code once per month.

I'm not seeing a current way to do this - I looked at expression policies, but I'm not seeing any sort of last_successful_2fa variable or anything like that that I could key off of.

[nightred]

This would also help in adding a forced mfa step to the default-provider-authorization-* if the mfa has not refreshed in a day.
I have added a mfa validation step to default-provider-authorization-* but it then asks every open instead of once a day as requested here.

This is nice for a logon to the console that lasts for several days but once a day launching an application validates your mfa every 24 hours.

[BeryJu]

#2828