We have exactly the same problem. It would be great to have similar workflow to the google mfa.
I experimented with webauthn and simple mfa. The problem is that the mfa provider selection menu shows all providers without respecting the providers's groovy bypass. Also you can only use provider selection menu with the global mfa trigger. On Friday, April 15, 2022 at 2:44:30 AM UTC+2 rcp...@gmail.com wrote: > Hi, > Are there any documents about the flow of control when using MFA? > We have configured CAS to optionally show MFA options when the user logs > in, and this works, but there are a number of problems we would like to > address, and are unsure how this should work in CAS. > > The flow we have at the moment is: > 1. User requests to enable MFA > 2. User is logged out and taken to the CAS login page > 3. User has to configure MFA > 4. User is now logged in. > > This is somewhat acceptable, but we would prefer to allow users to > configure MFA when they are already logged in and not force them to login > again. Is this possible? > > The main problem we have is that once MFA is configured, and the user logs > is and is presented with the MFA check, they always have the option to > configure another MFA device (we are using at the moment). This defeats the > purpose of MFA, as if the user's password is compromised, the attacker can > just configure another device. We are trying and failing to understand how > this should be configured. > > I would be grateful for any pointers. > Thanks in advance. > Rob > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2472080-8c5f-4bfc-9b7c-ebdf6b0b7d54n%40apereo.org.
