Hi everyone, Despite the fact that i didn't get any answer to my problem and in order to keep anyone looking for MFA Gauth informations about the bad behaviour i've experienced for the last month (that i described in my first message), i'm coming back to you once again.
I've kept an eye on every release since i've discovered my problem and the latest release (7.2.0-RC5) introduces a new property : cas.authn.mfa.gauth.core.device-registration-enabled=true/false (the related commit is : https://github.com/apereo/cas/commit/15580dc). This property is described as "When enabled, allows the user/system to register accounts and devices.". It is one step ahead in the path to resolve the bad behaviour i've encountered with mfa-gauth as the app now : - disables registering Google Auth' device until you first connect with another way of MFA (in my case, with mfa-simple by email for the first time) - still blocks gauth until you reach the "mini portal like environment" (https://apereo.github.io/cas/7.0.x/registration/Account-Management-Overview.html#account-profile-management) and register your device It still includes things we would like to be changed/developed/removed such as : - if you enable multiple devices on gauth, since you already got at least 1 device registered, you can still register multiple devices on the fly (as before the implementation of the new property) - it would be nice to be able to prompt the user to register gauth device when he first login with email (instead of being forced to use the "mini portal") Thanks everyone for reading and sorry if my english is bad, You can email me or answer here if you've got questions, I'd like to thanks Apereo contributors as you made me take a good step ahead with this release and i hope you will keep the good work you are producing. Le mardi 28 janvier 2025 à 15:28:55 UTC+1, Alexis G. a écrit : > Hi, > > I am currently working on implementing MFA on our CAS solution deployed in > our University for over 30 000 students and over 2 000 staff members. > > First step was to make a PoC to explore what we are able to do with MFA, > what we aren't, what is "easy" to implement, what will need some work... > > I've been able to reach a point where we are forced to use MFA when we > login (and i know i can configure it to only be triggered every x days or x > attempts etc). > > When we are prompted to use MFA, we can choose between Google > Authenticator and Personal mail. > > Personal mail is working as intended (excepted that the token provided is > "CASMFA-000000" and it would have been better to only have numbers if its > possible ?). > > My main problem is on the Google Authenticator one. > I'm able to register my device and use an authenticator, everything is > working fine (the registered devices disappear if i restart my server but i > think its because its stored in app memory and not in a database). The only > problem is that you can remove the registered device without being asked > for any Token or whatever. It means, anyone with the right credentials can > remove the registered device and put its device to receive the token and > authenticate with MFA. > > I've tried a lot of things, even a groovy script (but i didnt find the > property to link the script to the MFA...) and a property seemed to work in > the past : "cas.authn.mfa.gauth.device-registration.delete-requires-mfa" > but i'm unable to find it anymore. > > Does anyone have a solution and/or already experienced this ? > > Thanks in advance for your help. > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5499906-9020-4095-8b5a-0dde366fc114n%40apereo.org.
