Authenticate the challenge ID and token with /MFAAuthenticate.json. At this point, the sessionId (from step one) is MFA trusted. Note that the mfaId token expires at end of the current session or when you sign out.
Maintaining MFA for 30 days
In step three of the MFA process, if you set rememberMe as true in your /MFAAuthenticate.json request, the mfaId value is marked as trusted for 30 days. For these 30 days, set deviceId and mfaId as additional fields when you sign in (/Login.json).
Click Try It! to start a request and see the response here!