Your session at this point is NOT active. It has expired. Joomla starts with a blank session. Then the Cookie Login plugin kicks in and logs you back in with the “Remember Me” cookie, starting a new session. The session lacks a flag to indicate it's gone through MFA therefore you are asked to provide MFA.

My question is what is the setting on “Multi-factor Authentication after silent login” and what are the options in “Silent login authentication response types (for experts)”. If the former is set to No and the latter has cookie in it, it should not ask you to authenticate after cookie authentication. If that's how it's set up and it still asks you please change the issue title to “MFA always required after silent login” and assign this to me. I have seen this happening on two sites of mine and meant to investigate further but I forgot. I just want to make sure it happens on sites other than mine so I know that at the very least I am trying to solve a real core issue, not something I've messed up in my site config :)

Where do I find the settings “Multi-factor Authentication after silent login” and “Silent login authentication response types (for experts)”?

Users, Options, Multi-factor Authentication tab

"Multi-factor Authentication after silent login" is "no" and "Silent login authentication response types (for experts)" is "cookie, passwordless".

All right, I am on it :)

Turned on skype, when you need some more input.

My two sites were not working because I had not turned the option on ?

I tried reproducing your issue on a new site based on the latest 4.2-dev branch. I tried with both Remember Me (cookie authentication) and WebAuthn (passwordless authentication), with and without a login redirection. I also tried with various combinations of track session metadata. I can not reproduce the issue.

BTW: to test the cookie authentication without waiting forever it's enough to delete Joomla's session cookie, but not the Remember Me cookie, from your browser. The easiest way to do that is through the browser's dev tools. This is something I learned several years ago when I was debugging the Remember Me plugin on J3 and it still works the same way in J4.

Is it possible that your browser is actually caching the redirection to the captive page?

If you have more insight on your site's configuration please do tell me.

If you want to go through the rabbit hole, the method which handles silent logins is \PlgUserJoomla::disableMfaOnSilentLogin. Note that this is called only in the onUserAfterLogin event and only if it's the front- or backend application. If you have a plugin in your stack which cancels the onUserAfterLogin event before the Joomla user plugin's handler executes then, yeah, this feature will be broken. Try ordering the User - Joomla plugin first in the stack of user plugins and see if it makes a difference. FWIW the onUserAfterLogin event should never be cancelable but that's another architectural issue for another Joomla architecture discussion ?

Please test #38793.

Found the bug. As soon as I saved the user settings, it started to work as well, because the variable is set correctly then. But it is still possible to use it with an empty string in the settings and then it breaks again.

Ah! That makes perfect sense. On my sites this was left empty because of the way I managed the settings with a custom script with the same result (which is why I thought it's just me doing something stupid with the settings).