MFA configuration flow

Skip to first unread message

Rob Pumphrey

Apr 14, 2022, 8:44:30 PMApr 14
to CAS Community
Are there any documents about the flow of control when using MFA?
We have configured CAS to optionally show MFA options when the user logs in, and this works, but there are a number of problems we would like to address, and are unsure how this should work in CAS.

The flow we have at the moment is:
1. User requests to enable MFA
2. User is logged out and taken to the CAS login page
3. User has to configure MFA
4. User is now logged in.

This is somewhat acceptable, but we would prefer to allow users to configure MFA when they are already logged in and not force them to login again. Is this possible?

The main problem we have is that once MFA is configured, and the user logs is and is presented with the MFA check, they always have the option to configure another MFA device (we are using at the moment). This defeats the purpose of MFA, as if the user's password is compromised, the attacker can just configure another device. We are trying and failing to understand how this should be configured.

I would be grateful for any pointers.
Thanks in advance.

Marcin Roman

Apr 15, 2022, 5:52:04 AMApr 15
to CAS Community,
We have exactly the same problem.
It would be great to have similar workflow to the google mfa.

I experimented with webauthn and simple mfa. The problem is that the mfa provider selection menu shows all providers without respecting the providers's groovy bypass.
Also you can only use provider selection menu with the global mfa trigger.


Apr 19, 2022, 12:22:00 PMApr 19
to CAS Community, Marcin Roman,
You can use multiple providers using selection now in current release with principal attribute per service, , I reported it with a pull request not to long ago and someone else also added a fix for Rest, I am assuming others will come along soon enough. This now works in current 6.5.x as it was backported , .

Some of the MFA providers have the option,  cas.authn.mfa.provider_name.multiple-device-registration-enabled which set to true or false to allow multiple registrations, you could look into that for the providers you are using.

Reply all
Reply to author
0 new messages