You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GavinFrazar opened this issue
May 18, 2024
· 0 comments
Labels
bugc-q7jInternal Customer ReferencemfaIssues related to Multi Factor AuthenticationssoUsed for single sign on related tasks.tctltctl - Teleport admin tool
Teleport allows SSO users to configure MFA in Teleport.
It also allows them to login without prompting for that MFA (the SSO provider is responsible for that, not Teleport).
However, if they do configure MFA and then lose that token (or the webauth rp_id is changed), then they can't remove the MFA and they can't change it.
Local users can ask a Teleport cluster admin to reset them.
SSO users can do the same, but it will only be possible while their ephemeral user still exists, since SSO users expire but their MFA configuration does not.
This is riding the line between bug and feature request imo, but I think it's a bug - it's pretty poor UX to make a cluster admin sync up with a user to get their MFA reset. They may be in different timezones for example.
Bug details:
Teleport version: v14.3.16
Recreation steps: configure SSO, login to web ui or tsh and add an MFA device. Now pretend you can't pass MFA prompts anymore and need to be reset. The cluster admin can only reset you if you happen to have logged in somewhat recently.
The text was updated successfully, but these errors were encountered:
bugc-q7jInternal Customer ReferencemfaIssues related to Multi Factor AuthenticationssoUsed for single sign on related tasks.tctltctl - Teleport admin tool
Teleport allows SSO users to configure MFA in Teleport.
It also allows them to login without prompting for that MFA (the SSO provider is responsible for that, not Teleport).
However, if they do configure MFA and then lose that token (or the webauth
rp_id
is changed), then they can't remove the MFA and they can't change it.Local users can ask a Teleport cluster admin to reset them.
SSO users can do the same, but it will only be possible while their ephemeral user still exists, since SSO users expire but their MFA configuration does not.
This is riding the line between bug and feature request imo, but I think it's a bug - it's pretty poor UX to make a cluster admin sync up with a user to get their MFA reset. They may be in different timezones for example.
Bug details:
The text was updated successfully, but these errors were encountered: