search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.73k stars 920 forks source link

MFA validation required twice #10316

Open merclyn opened 4 months ago

merclyn commented 4 months ago

This issue has been present for a while (6-9 months), and I am not sure if its something we introduced configuring it, or its a bug.

When a user authenticates and its then they are prompted to validate the MFA. Once they enter the correct TOTP code their is no reply on the screen, then the user must wait for a new TOTP code to be available, then when entering that new code they are allowed to login.

We are currectly using 2024.4.2 but we have updated a bunch of times and the issue is still happening.

I have included a log entry showing the TOTP auth twice.

{ "auth_method": "password", "http_request": { "args": { "next": "/" }, "path": "/api/v3/flows/executor/default-authentication-flow/", "method": "POST", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0" }, "auth_method_args": { "mfa_devices": [ { "pk": 6, "app": "authentik_stages_authenticator_totp", "name": "TOTP Authenticator - jacks phone", "model_name": "totpdevice" }, { "pk": 6, "app": "authentik_stages_authenticator_totp", "name": "TOTP Authenticator - jacks phone", "model_name": "totpdevice" } ] } }

BeryJu commented 4 months ago

There's another issue for this somewhere, this happens when the authentication flow has multiple MFA validation stages configured

merclyn commented 4 months ago

This helped me find and fix the issue. Looks like I had another validation stage setup. Thanks for the help.

psilantropy commented 3 months ago

This helped me find and fix the issue. Looks like I had another validation stage setup. Thanks for the help.

Seems to be deployed like this by default.

authentik-automation[bot] commented 15 hours ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

motey commented 9 hours ago

I also ran into this issue by setting the "Last validation threshold " in the Authenticator Validation Stage to 0.
I wanted the users to always validate MFA when logging in. But by setting the "Last validation threshold" to 0, users needed to randomly validate twice during one login flow.