Duo 2fa error

[aplsms]

Hello,
I have a problem with one user during 2fa to Duo mobile.

$ aws-okta -d exec cnc -- aws s3 ls
DEBU[0000] Parsing config file /Users/lwaisberg/.aws/config
DEBU[0000] Using aws_saml_url from profile: cnc
DEBU[0000] using okta provider
DEBU[0000] Failed to reuse session token, starting flow from start
DEBU[0000] Step: 1
DEBU[0001] Step: 2
INFO[0001] Requesting MFA
DEBU[0001] 00...............................DS
DEBU[0001] Okta Factor Provider: DUO
DEBU[0001] Okta Factor ID: dsfk................0x7
DEBU[0001] Okta Factor Type: web
DEBU[0002] Host:api-e5f9f14f.duosecurity.com
Signature:TX|bHdha................................7624
StateToken:00jB.................ttiPhVeDS

DEBU[0002] challenge u2f
INFO[0002] Sending Push Notification...
Failed Duo challenge

login to AWS console is working fine. Another user has no such issue.

could you point me to the way to investigate this issue?

aws-okta version 0.19.4

[nickatsegment]

First, try deleting the keychain items (they're searchable as aws-okta). That's happened to me before.

Otherwise, I wonder if there's a protocol-level problem. aws-okta uses undocumented Duo APIs to get the job done. Try adding debug logging that dumps the HTTP request/response objects and comparing them between your flow and the working flow from the other user.

[nickatsegment]

Also, are you a Duo admin?

[aplsms]

I'm not Duo admin, bur he is sitting next to me.
I will delete aws-okta keychain item and repeat that again.
is there any way to get full debug of http/https session on aws-okta?

[aplsms]

clean up of keychain did not help. is it possible to set level of logging like "trace" just to see requests and responses?

[aplsms]

fixed by reinstall Mac.