2 factor authentication is not working with Duo

I am facing issues enabling MFA authentication with Duo when moving my code from a Rule to Actions. When disabling the rule and configuring the Login Flow with my action Duo is asking me for registration regardless my users are already registered but when enabling the rule Duo remains the user and send the push notification for the login.

Rule Code:

function multifactorAuthentication(user, context, callback) {
    context.multifactor = {
      provider: 'duo',
      username: user.sAMAccountName // Here is the Duo user
    };
  callback(null, user, context);
}

Action Code:

exports.onExecutePostLogin = async (event, api) => {
        api.multifactor.enable("duo", {
          allowRememberBrowser: false, 
          providerOptions: {
            username: event.user.sAMAccountName // Here is the Duo user
          }
        });
};

Additionally I tried setting username like this but did not work:

api.multifactor.enable("duo", {
          allowRememberBrowser: false, 
          username: event.user.nickname // also: event.user.sAMAccountName
        });

I will really appreciate any help with this issue. Thanks in advance!

We are facing the same issue. If I follow the code prompts of the action js editor, the correct syntax for the post-login action should be:

api.multifactor.enable("duo", { allowRememberBrowser: false, providerOptions: {
        ikey: event.secrets.DUO_IKEY,
		    skey: event.secrets.DUO_SKEY,
		    host: event.secrets.DUO_HOST,
                    username: event.user.email,
      }
      });

However it looks like the username attribute is ignored and Auth0 still sends ids to to Duo. I changed the skey to something wrong and it broke the integration. Which suggest that this is the right way of customizing the duo config, but there is an issue with the way username is processed.

Forgot to mention that if I do the same thing through Rules(as described here DUO MFA asking users to re-enroll even though they already are registered with DUO), it works like a charm. The problem is rules are deprecated.

Seems the documentation is outdated. I got the correct script from the support. This seems to work. Hope it helps somebody:

exports.onExecutePostLogin = async (event, api) => {
               api.multifactor.enable('duo', { 
                providerOptions: {
                        ikey: event.secrets.DUO_IKEY,
                        skey: event.secrets.DUO_SKEY,
                        host: event.secrets.DUO_HOST,
                        username: event.user.email,
                        allowRememberBrowser: false
                }
               })                         
        };