Disabling device removal in Google Authenticator MFA

74 views
Skip to first unread message

Roger

unread,
Jan 19, 2026, 11:32:37 AMJan 19
to CAS Community

Is there a way to disable device removal for Google Authenticator MFA in Apereo CAS 7.2?

I want to prevent users from deleting registered devices, or disable the device management screen entirely. Allowing a user to delete a device and enroll a new one using only username/password appears insecure.

Is there a configuration option or recommended approach to enforce this restriction?cas2.pngcas2.pngcas1.png

Frédéric Dussurget

unread,
Jan 20, 2026, 10:16:40 AMJan 20
to CAS Community, Roger
Hi Roger, just in case, if you ever move to 7.3.3, users will get a mfa challenge before deleting/registering a gauth device, based on a a preexisting gauth device.
Regards,

Roger

unread,
Jan 27, 2026, 9:50:38 AMJan 27
to CAS Community, Roger
screenshots for clarity
Screenshot from 2026-01-16 20-16-01.png
Screenshot from 2026-01-16 20-16-13.png

понедельник, 19 января 2026 г. в 19:32:37 UTC+3, Roger:

Frédéric Dussurget

unread,
Jan 28, 2026, 9:38:36 AMJan 28
to CAS Community, Roger
Hi Roger,
I mean that in the 7.3 version, a malicious user won't be able to delete a registered device as long as he cannot provide the "suspicious_borg" ("sharp boyd" in your case) totp code to do so (see the popup window in the pic below that you might not get in your context). 


firefox_vFYAk0sbAm.png

And the same way, he also won't be able to register his own device without detaining "sharp  boyd".

Salazar Wagner

unread,
Jan 29, 2026, 9:55:22 AMJan 29
to cas-...@apereo.org, Roger
In this context, how could more than one device be registered for the same login?

Frédéric Dussurget

unread,
Jan 30, 2026, 7:40:11 AMJan 30
to CAS Community, Salazar Wagner, Roger
Hi Salazar,
if you setcas.authn.mfa.gauth.core.multiple-device-registration-enabled= true, you may register multple devices using one of your preregistered totp devices. There's a dropdown select menu to select one of your devices :

firefox_pCE6M9pwA7.png
Reply all
Reply to author
Forward
0 new messages