diff --git a/ChangeLog b/ChangeLog
index 4c5f55bd2a68eb6efda0cf930999861c85d78ff7..74cc1368f25cea850139c3b182efe100a1890e5c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 train-2012.06.08 (in progress):
   * Support non-english passwords: issue #1631
   * remove obsolete code - 'code_update' handler: issue #1645
+  * allow sessions to persist for 4 weeks after a user confirms ownership of a device (was effectively 1 week): #1632
 
 train-2012.05.25:
   * many KPI improvements: #1597, #1613
diff --git a/lib/configuration.js b/lib/configuration.js
index 4c4957e57866824105433609fea062849e2d5bb1..abe731e59d8dd5d52b97a22ba29a69fbf3f5e205 100644
--- a/lib/configuration.js
+++ b/lib/configuration.js
@@ -138,7 +138,7 @@ var conf = module.exports = convict({
   },
   authentication_duration_ms: {
     doc: "How long may a user stay signed?",
-    format: 'integer = 1209600000'
+    format: 'integer = 2419200000'
   },
   ephemeral_session_duration_ms: {
     doc: "How long a user on a shared computer shall be authenticated",
diff --git a/lib/wsapi.js b/lib/wsapi.js
index aa206d442e7c273efa70dcdf56c97ffb0bd853a4..004dd36d701558003b138c45ea2a7bb40c77797c 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -145,12 +145,10 @@ exports.setup = function(options, app) {
   var cookieSessionMiddleware = sessions({
     secret: COOKIE_SECRET,
     cookieName: COOKIE_KEY,
-    duration: 7 * 24 * 60 * 60 * 1000, // 1 week
+    duration: config.get('authentication_duration_ms'),
     cookie: {
       path: '/wsapi',
       httpOnly: true,
-      // IMPORTANT: we allow users to go 1 weeks on the same device
-      // without entering their password again
       maxAge: config.get('authentication_duration_ms'),
       secure: overSSL
     }