Autumn flow: MFA and Password interoperability
Cantor, Scott
cantor.2 at osu.edu
Tue Jul 9 12:52:35 EDT 2019
> So if a user never completes the MFA (Password+Duo) flow there will be no
> merged principals? So a second app that uses MFA (Password only) will be
> required to fulfill the first factor in all cases?
The only way to finish authentication when MFA is the only flow that's enabled is for it to complete with a null/proceed event signal, there's just nothing produced otherwise. No request would ever complete with anything but either a pending conversation waiting in the middle of the MFA subflow somewhere or an actual error event that completes all of the nested steps and wraps up the top level flow conversation.
It's the equivalent of Password alone when you sit on the login form and never successfully submit it.
-- Scott
More information about the users
mailing list