By default, Privy caches the MFA token after verification and skips re-prompting until it expires.
Apps that need fresh verification on every launch can clear the cached token whenever the app moves
to the background. A trading app, for example, might treat each app open as a new security session.
This recipe uses React Native’s AppState API and Privy’s clear method from useMfa to tie MFA
verification to app session lifecycle.
How it works
- The user opens the app, authenticates, and proceeds normally. Wallet actions trigger MFA as usual.
- When the user backgrounds the app,
clear() invalidates the cached MFA token.
- When the user returns and performs a wallet action, Privy finds no valid token and prompts for
fresh verification.
Implementation
Register an AppState listener in a component near the root of your app. When the app leaves the
active state — backgrounded or inactive — clear the MFA token:
Render <AppSessionMfaGuard /> inside PrivyProvider, near the root of your app:
Proactively prompting on app resume
Wallet actions naturally re-trigger MFA after clear(). To prompt immediately on foreground
instead, call prompt() when the app returns to active:
prompt() no-ops when the user has no MFA methods enrolled. Because clear() runs on every
background event, there is never a cached token on resume. The user is always prompted.
Extending the cache duration
By default, MFA tokens stay valid for 15 minutes. For a session-based approach, a longer cache
prevents mid-session expiry. clear() then handles explicit invalidation on background.
Configure the MFA token duration in the
Privy Dashboard. Setting a value of several
hours ensures no mid-session re-prompts while the user is active.
iOS background constraints
On iOS, apps that move to the background have limited time before execution suspends. clear() makes
no network requests and operates only on local state. It completes reliably within iOS background
execution limits.