Problem Statement
We noticed that DUO MFA ask users to re-enroll even though they already registered with DUO. The username provided to DUO is a base64 token, so DUO thinks the request is from a new user.
We did not configure what info gets sent to DUO during MFA.
Cause
By default, Auth0 uses the following logic to generate a user’s username in Duo:
- Take the Auth0
user_id. - Encode it in Base64.
- Transform it to lowercase.
In your case, the result does not match existing usernames in DUO for your users.
Solution
You can specify the username value within the rule you have set up to enable DUO MFA. By adding the following to your rule, you can set the username to be any part of the user object:
function (user, context, callback) {
context.multifactor = {
provider: 'duo',
allowRememberBrowser: false,
username: user.email
};
callback(null, user, context);
}