search

multiOTP / multiotp

multiOTP open source strong two factor authentication PHP library, OATH certified, with TOTP, HOTP, Mobile-OTP, YubiKey, SMS, QRcode provisioning, etc.
http://www.multiOTP.net/
GNU Lesser General Public License v3.0
360 stars 76 forks source link

WITHOUT2FA users expecting empty OTP (multiOTP Credential Provider question) #193

Closed Armaggedon closed 3 months ago

Armaggedon commented 3 months ago

I'm running multiOTP 5.9.7.1 2023-12-03. The scenario is for RDP connections.

user1 belongs to mfa-group. user2 belongs to non-mfa-group. I've configured a MFA group and a non-MFA group:

multiotp -config ldap-in-group="mfa-group"
multiotp -config ldap-without2fa-in-group="non-mfa-group"

Users seem to be synched correctly, with algorithm=totp for user1 and algorithm=without2fa for user2 respectively, plus their group correctly defined. However, the OTP is asked for both. I've tried deleting user2 and resynching, without any change.

I've noticed that if user2 inputs an empty OTP, it works and the login goes through. Is this the expected behaviour? I would expect that WITHOUT2FA users would not get the OTP prompt at all, to avoid confusing them.

multiOTP commented 3 months ago

Hello, This is more a multiOTP Credential Provider question. Did you disable the 2FA prompt for multiOTP without2FA users during the setup ?

image

Regards,

Armaggedon commented 3 months ago

I certainly forgot about that option. Of course, it worked after reinstalling the CP to set it. Many thanks for the quick reply! You can close this issue (or delete it, since it was my oversight).

Best regards.

multiOTP commented 3 months ago

You're welcome. Regards,