Autumn flow: MFA and Password interoperability

Cantor, Scott cantor.2 at
Tue Jul 9 12:52:35 EDT 2019

> So if a user never completes the MFA (Password+Duo) flow there will be no
> merged principals?  So a second app that uses MFA (Password only) will be
> required to fulfill the first factor in all cases?

The only way to finish authentication when MFA is the only flow that's enabled is for it to complete with a null/proceed event signal, there's just nothing produced otherwise. No request would ever complete with anything but either a pending conversation waiting in the middle of the MFA subflow somewhere or an actual error event that completes all of the nested steps and wraps up the top level flow conversation.

It's the equivalent of Password alone when you sit on the login form and never successfully submit it.

-- Scott

More information about the users mailing list