Hi, I am currently working on implementing MFA on our CAS solution deployed in our University for over 30 000 students and over 2 000 staff members.
First step was to make a PoC to explore what we are able to do with MFA, what we aren't, what is "easy" to implement, what will need some work... I've been able to reach a point where we are forced to use MFA when we login (and i know i can configure it to only be triggered every x days or x attempts etc). When we are prompted to use MFA, we can choose between Google Authenticator and Personal mail. Personal mail is working as intended (excepted that the token provided is "CASMFA-000000" and it would have been better to only have numbers if its possible ?). My main problem is on the Google Authenticator one. I'm able to register my device and use an authenticator, everything is working fine (the registered devices disappear if i restart my server but i think its because its stored in app memory and not in a database). The only problem is that you can remove the registered device without being asked for any Token or whatever. It means, anyone with the right credentials can remove the registered device and put its device to receive the token and authenticate with MFA. I've tried a lot of things, even a groovy script (but i didnt find the property to link the script to the MFA...) and a property seemed to work in the past : "cas.authn.mfa.gauth.device-registration.delete-requires-mfa" but i'm unable to find it anymore. Does anyone have a solution and/or already experienced this ? Thanks in advance for your help. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/58288304-0681-467d-a687-aab52509874an%40apereo.org.
