Request to keep MFA feature

[jaisankar1]

What version of UAA are you running? 75.22.2

Description of the issue:

• We noticed that "MFA feature is being deprecated and will be removed in a future release (docs: Added MFA deprecated notice and updated support text #2024)" in 76.0.0 (https://github.com/cloudfoundry/uaa-release/releases/tag/v76.0.0) while we are trying to upgrade our forked UAA to latest version.
• Can you please let us know the process, implementation details in order to retain this feature in forked version for current and future releases permanently?
• Since it's not going to be in upstream and only in forked version going forward, would that cause security concerns or any specific library upgrade that we need to take care?

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/184443444

The labels on this github issue will be updated when the story is started.

[strehle]

Hello @jaisankar1 ,

Some background first:
This was deprecated because of limited resources we have for maintenance of UAA. The feature itself was developed at a time where LDAP was mainly used and sometimes SAML for delegating the authentication. MFA is a requirement, yes, but we see more and more the usage of UAA as authentication proxy and MFA is active in the IdP. This means we see less use of this feature in UAA but MFA is active at the end of the delegated authentication, e.g. Azure AD, SAP IAM, Okta, etc...

MFA itself is not removed yet and if we do it, there will be a 77.+ release, so I strongly recommend that you upgrade to latest 76.x.x version. Release 76.x was created because of CSP and some breaking changes there. We will release 76.6.0 soon where CSP gets a configuration so that the breaking changes should not block you anymore.

@Tallicia @bruce-ricard any thoughts in addition?

[Lax77]

@strehle Could you let us know timeline for 77.+ release? This will help us better plan

[strehle]

@Lax77 there is no timeline and no final date for removal of MFA.

[Tallicia]

@jaisankar1 Can you provide some examples on how this is being used and the protocols employed for why MFA is not being used with the IDP?

[swalchemist]

Removing MFA is a priority for our team now and we're not sure yet if it will be in version 77 or 78.

[peterhaochen47]

The removal is scheduled to happen at the next UAA release (v77.0.0), which we will release soon.

To add to what @strehle said, here is more context about this feature removal (quoting the commit message about this removal):

  - This feature is under-utilized, and requires further
    maintenance for which our team lacks the resource. (For
    example, this feature is potentially vulnerable because
    a secure Content-Security-Policy cannot be applied to its
    pages without breaking them.) The feature has also been
    marked as "not ready for production" for a few years now.
    So we opt to remove the feature and instead recommend
    using the external IDPs's own MFA features.

Can you please let us know the process, implementation details in order to retain this feature in forked version for current and future releases permanently?

If you wish to keep this feature on your fork and maintain it, you could add back the code removed in #2717

Since it's not going to be in upstream and only in forked version going forward, would that cause security concerns or any specific library upgrade that we need to take care?

Please see the above context on the security concerns. The MFA feature does rely on some dependencies that need to be bumped if you want to maintain it in your fork; you can find them in #2717. Also as mentioned, this feature has been marked "not ready for production," but we don't have good context on what would make it production-ready aside from the "Content-Security-Policy" issue.