MFA is forced also on Identity Provider Users

@beezerk said in MFA is forced also on Identity Provider Users:

Hey,

we're activated MFA for all applications on the tenant level (Required. A challenge will be required during login. A user will be required to configure 2FA if no eligible methods are available). From my understanding MFA should only be enforced when a user is registered directly in FusionAuth. So if a user comes from an identity provider MFA should be bypassed. However it seems to be not the case for us. We (in the company, so internal users) use Microsoft as an identity provider with OIDC, but all the time the users come back to FusionAuth it asked for the MFA. We have the same scenario for a client from us which also uses a Microsoft OIDC identity provider and they are also forced to set MFA.

We first thought its just a temporary issue so we manually removed the configured MFA from the user. But it reappears all the time.

Is this a known bug or are we doing something wrong? Any help is highly appreciated. Currently we are at version 1.46.0. I know that there are newer versions but i couldn't find anything MFA related in the changelogs.

Hello,

I appreciate your detailed explanation of the issue you’re facing with MFA (Multi-Factor Authentication) in FusionAuth. Let’s dive into this and see if we can find a solution.

First, let’s clarify a few points about MFA and FusionAuth:

MFA Overview Dog blog:
MFA, or Multi-Factor Authentication, is an approach that requires users to present two or more credentials (factors) during login. These factors can include something the user knows (like a password), something the user has (such as a one-time password), or something the user is (like a fingerprint or facial recognition).
Implementing MFA significantly enhances application security by adding an extra layer of protection.
MFA Compliance and Standards:
MFA is becoming a requirement for many organizations due to evolving regulatory standards and recommendations. For example:
The EU’s Payment Services Directive (PSD2) mandates “strong customer authentication” (SCA) for payment service providers.
The ENISA guidelines recommend MFA for accessing systems in the EU that process personal data.
The Payment Card Industry Data Security Standard (PCI-DSS) now requires MFA for US merchants and payment service providers.
The NIST Cybersecurity Framework and other regulations also emphasize MFA usage.
FusionAuth and MFA:
FusionAuth supports MFA through various methods, including Time-based One-Time Passwords (TOTP), email, and SMS.
Tenants can configure MFA methods explicitly, and applications can override some MFA settings.
FusionAuth also provides step-up authentication for sensitive actions.

Hi. At our company, we've encountered this same issue you're describing here. Our internal customers use Microsoft as an identity provider, but often (though not every time) users are sent to FusionAuth and asked for MFA.

Did you ever find a solution for this, or a lead? My initial thought was that it had something to do with session time, and that a user was trying to log back in while still technically logged into FusionAuth, but so far no amount of adjusting session times has helped, so that might be heading down the wrong road.

Hi beezerk, thanks for detailing the issue. I think it's a misconfiguration or a bug. Have you tried updating to the latest version of FusionAuth to see if it resolves the problem?

Also, double-check your tenant and application settings to ensure MFA rules are correctly applied. If the issue persists, reaching out to FusionAuth support might be beneficial.

Hope it works!

A client reached out to us with the same issue, they are being forced to configure MFA even though they are doing an SSO login and the issue also seems to be intermittent. Hope Fusionauth comes up with a fix for this