MFA Trusted Devices and Public Machines

Shawn Cutting

unread,

May 4, 2020, 1:06:36 PM5/4/20

to CAS Community

Good Day,

I am trying to get one last piece of our CAS 5.3 MFA setup and I am hitting a roadblock. I have cas.authn.mfa.gauth.trustedDeviceEnabled=true, and everything works as it should (I am writing MFA info to a MySQL database) when it asks for a device name. The issue is that I want to make it so that a user can choose to NOT remember the device, as if using a public computer (which we do discourage when logging in). Is there a way to programmatically bypass the device naming screen if a user checks a box asking to do so? I can manipulate the MFA Google Authenticator code page to add the checkbox.

Any suggestions would be fabulous!

Thanks in advance,

Shawn

Ray Bon

unread,

May 4, 2020, 1:41:20 PM5/4/20

to cas-...@apereo.org

Shawn,

Would this help, https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization.html

Ray

--

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Hayden Sartoris

unread,

May 5, 2020, 7:40:15 AM5/5/20

to CAS Community

Hi Shawn,

I believe it's the case that submitting the form with an empty string set as the value for the device name will bypass registration. I know that's true at least in 6.1.x, and, for anyone else looking, it's broken in 6.2.0-RC4, but I've submitted a PR to fix it here: https://github.com/apereo/cas/pull/4836

Practically speaking, I have this implemented in javascript on the client side, with a 'Skip' button with an event listener on it. When clicked, a function fires that blanks out the device name, in case the user has set one, and then submits the form. To prevent accidental registrations, I have a checkbox labeled something like 'This is a computer I control personally', and the real Submit button is inactive until that box is checked, also done via javascript.

In the future, this should probably be a first-class feature of trusted devices; obviously we can't have users registering anything they log into. I might work that into my PR, but I feel my solution (although working in production) is a little hacky to submit to the codebase.

Best,

Hayden

Shawn Cutting

unread,

May 5, 2020, 9:06:04 AM5/5/20

to CAS Community

Thanks gentlemen for your input. I wanted to point out that I made a mistake with the CAS property... it should have been cas.authn.mfa.trusted.deviceRegistrationEnabled=true (CAS 5.3.14)

Ray, I was looking into the ver 5.3 notes regarding the webflow customization, but I am not familiar at all with how to write Java or incorporate extensions to the system, so unfortunately I can't use this... but thanks!

Hayden, I was beginning to go down the javascript path to try and "trick" the system into not recording the device in a similar way as you are describing, but with version 5.3, even if I leave the name blank, the system defaults to giving the device a name (it basically looks like a line that would normally go into an http access log, with the timestamp, the device information, etc). I was trying to figure out the timing of the webflow to see if I could intercept the information before it went to the database (I am using a MySQL database to store this info) but have not been able to do so. Would you be willing to give me your javascript to see if I can engineer something for our setup? I really think that there is just one little thing that is keeping me from progressing.