Are there any documents about the flow of control when using MFA?
We have configured CAS to optionally show MFA options when the user logs in, and this works, but there are a number of problems we would like to address, and are unsure how this should work in CAS.
The flow we have at the moment is:
1. User requests to enable MFA
2. User is logged out and taken to the CAS login page
3. User has to configure MFA
4. User is now logged in.
This is somewhat acceptable, but we would prefer to allow users to configure MFA when they are already logged in and not force them to login again. Is this possible?
The main problem we have is that once MFA is configured, and the user logs is and is presented with the MFA check, they always have the option to configure another MFA device (we are using at the moment). This defeats the purpose of MFA, as if the user's password is compromised, the attacker can just configure another device. We are trying and failing to understand how this should be configured.
I would be grateful for any pointers.
Thanks in advance.