Tomi, If MFA is optional, then it can not be enforced, so the bypass makes sense.
MFA would/should be triggered when the user visits a service (you can add MFA required to the service definition or set it globally, etc.). You can set a default service that is redirected to after login, https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html cas.view.default-redirect-url There is also this property on the same page, cas.sso.allow-missing-service-parameter Ray On Thu, 2023-01-12 at 00:38 -0800, 'Tomi Karlstedt' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, Our implementation uses the CAS login form to log users in and checks username/password from a separate service. We're adding an optional MFA for users and we want to save the chosen MFA provider per user into the same service that handles usernames and passwords. There's a way to trigger MFA from a REST endpoint (implemented by RestEndpointMultifactorAuthenticationTrigger) which seems to suite us well. However, the current implementation of the REST MFA trigger seems to let users bypass MFA by simply not including the service parameter when logging in. To me this seems like a glaring bug in the implementation. My question is, can we force the service parameter (server side) or set a default service somehow in the logging flow to mitigate this immediately? Tomi -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7bf10748d43b63aafb01b44ca35139dd910184b7.camel%40uvic.ca.