2 factor authentication is not working with Duo

jortiz-squaretrade · September 26, 2024, 8:46pm

I am facing issues enabling MFA authentication with Duo when moving my code from a Rule to Actions. When disabling the rule and configuring the Login Flow with my action Duo is asking me for registration regardless my users are already registered but when enabling the rule Duo remains the user and send the push notification for the login.

Rule Code:

function multifactorAuthentication(user, context, callback) {
    context.multifactor = {
      provider: 'duo',
      username: user.sAMAccountName // Here is the Duo user
    };
  callback(null, user, context);
}

Action Code:

exports.onExecutePostLogin = async (event, api) => {
        api.multifactor.enable("duo", {
          allowRememberBrowser: false, 
          providerOptions: {
            username: event.user.sAMAccountName // Here is the Duo user
          }
        });
};

Additionally I tried setting username like this but did not work:

api.multifactor.enable("duo", {
          allowRememberBrowser: false, 
          username: event.user.nickname // also: event.user.sAMAccountName
        });

I will really appreciate any help with this issue. Thanks in advance!

nkandev · September 30, 2024, 1:42pm

We are facing the same issue. If I follow the code prompts of the action js editor, the correct syntax for the post-login action should be:

api.multifactor.enable("duo", { allowRememberBrowser: false, providerOptions: {
        ikey: event.secrets.DUO_IKEY,
		    skey: event.secrets.DUO_SKEY,
		    host: event.secrets.DUO_HOST,
                    username: event.user.email,
      }
      });

However it looks like the username attribute is ignored and Auth0 still sends ids to to Duo. I changed the skey to something wrong and it broke the integration. Which suggest that this is the right way of customizing the duo config, but there is an issue with the way username is processed.

nkandev · October 1, 2024, 8:08am

Forgot to mention that if I do the same thing through Rules(as described here DUO MFA asking users to re-enroll even though they already are registered with DUO), it works like a charm. The problem is rules are deprecated.

nkandev · November 1, 2024, 8:41am

Seems the documentation is outdated. I got the correct script from the support. This seems to work. Hope it helps somebody:

exports.onExecutePostLogin = async (event, api) => {
               api.multifactor.enable('duo', { 
                providerOptions: {
                        ikey: event.secrets.DUO_IKEY,
                        skey: event.secrets.DUO_SKEY,
                        host: event.secrets.DUO_HOST,
                        username: event.user.email,
                        allowRememberBrowser: false
                }
               })                         
        };

Topic		Replies	Views
Duo MultiFactor- Unauthorized Help auth0 , mfa , mfa-duo	16	5220	September 6, 2019
MFA Failing with Action but not Rule Help	2	1570	September 29, 2022
Change DUO authentication method Help auth0 , mfa , mfa-duo	3	2948	July 22, 2020
Issue with DUO and ADFS Users Help mfa , mfa-duo	3	3183	May 30, 2020
Post-login action and MFA Help mfa , mfa-prompt-new-experience	3	443	May 24, 2024

2 factor authentication is not working with Duo

Related Topics