2 factor authentication is not working with Duo

jortiz-squaretrade · September 26, 2024, 8:46pm

I am facing issues enabling MFA authentication with Duo when moving my code from a Rule to Actions. When disabling the rule and configuring the Login Flow with my action Duo is asking me for registration regardless my users are already registered but when enabling the rule Duo remains the user and send the push notification for the login.

Rule Code:

function multifactorAuthentication(user, context, callback) {
    context.multifactor = {
      provider: 'duo',
      username: user.sAMAccountName // Here is the Duo user
    };
  callback(null, user, context);
}

Action Code:

exports.onExecutePostLogin = async (event, api) => {
        api.multifactor.enable("duo", {
          allowRememberBrowser: false, 
          providerOptions: {
            username: event.user.sAMAccountName // Here is the Duo user
          }
        });
};

Additionally I tried setting username like this but did not work:

api.multifactor.enable("duo", {
          allowRememberBrowser: false, 
          username: event.user.nickname // also: event.user.sAMAccountName
        });

I will really appreciate any help with this issue. Thanks in advance!

nkandev · September 30, 2024, 1:42pm

We are facing the same issue. If I follow the code prompts of the action js editor, the correct syntax for the post-login action should be:

api.multifactor.enable("duo", { allowRememberBrowser: false, providerOptions: {
        ikey: event.secrets.DUO_IKEY,
		    skey: event.secrets.DUO_SKEY,
		    host: event.secrets.DUO_HOST,
                    username: event.user.email,
      }
      });

However it looks like the username attribute is ignored and Auth0 still sends ids to to Duo. I changed the skey to something wrong and it broke the integration. Which suggest that this is the right way of customizing the duo config, but there is an issue with the way username is processed.

nkandev · October 1, 2024, 8:08am

Forgot to mention that if I do the same thing through Rules(as described here DUO MFA asking users to re-enroll even though they already are registered with DUO), it works like a charm. The problem is rules are deprecated.

nkandev · November 1, 2024, 8:41am

Seems the documentation is outdated. I got the correct script from the support. This seems to work. Hope it helps somebody:

exports.onExecutePostLogin = async (event, api) => {
               api.multifactor.enable('duo', { 
                providerOptions: {
                        ikey: event.secrets.DUO_IKEY,
                        skey: event.secrets.DUO_SKEY,
                        host: event.secrets.DUO_HOST,
                        username: event.user.email,
                        allowRememberBrowser: false
                }
               })                         
        };

Topic		Replies	Views
Duo MultiFactor- Unauthorized Help auth0 , mfa , mfa-duo	16	5220	September 6, 2019
Multifactor authentication with custom login and Duo throwing 403 MFA required Help mfa , custom-login , login , username-password-co , mfa-duo	3	4947	March 2, 2018
MFA turn on off despite application - rules Help mfa	3	1184	October 25, 2022
DUO MFA asking users to re-enroll even though they already are registered with DUO Knowledge Articles mfa-duo , enroll	0	1592	November 11, 2022
MFA Failing with Action but not Rule Help	2	1572	September 29, 2022

2 factor authentication is not working with Duo

Related topics