Disabling device removal in Google Authenticator MFA

[Roger]

Is there a way to disable device removal for Google Authenticator MFA in Apereo CAS 7.2?

I want to prevent users from deleting registered devices, or disable the device management screen entirely. Allowing a user to delete a device and enroll a new one using only username/password appears insecure.

Is there a configuration option or recommended approach to enforce this restriction?

[Frédéric Dussurget]

Hi Roger, just in case, if you ever move to 7.3.3, users will get a mfa challenge before deleting/registering a gauth device, based on a a preexisting gauth device.

Regards,

[Roger]

screenshots for clarity

понедельник, 19 января 2026 г. в 19:32:37 UTC+3, Roger:

[Frédéric Dussurget]

Hi Roger,

I mean that in the 7.3 version, a malicious user won't be able to delete a registered device as long as he cannot provide the "suspicious_borg" ("sharp boyd" in your case) totp code to do so (see the popup window in the pic below that you might not get in your context). 

And the same way, he also won't be able to register his own device without detaining "sharp  boyd".

[Salazar Wagner]

In this context, how could more than one device be registered for the same login?

[Frédéric Dussurget]

Hi Salazar,

if you setcas.authn.mfa.gauth.core.multiple-device-registration-enabled= true, you may register multple devices using one of your preregistered totp devices. There's a dropdown select menu to select one of your devices :