@beezerk said in MFA is forced also on Identity Provider Users:
Hey,
we're activated MFA for all applications on the tenant level (Required. A challenge will be required during login. A user will be required to configure 2FA if no eligible methods are available). From my understanding MFA should only be enforced when a user is registered directly in FusionAuth. So if a user comes from an identity provider MFA should be bypassed. However it seems to be not the case for us. We (in the company, so internal users) use Microsoft as an identity provider with OIDC, but all the time the users come back to FusionAuth it asked for the MFA. We have the same scenario for a client from us which also uses a Microsoft OIDC identity provider and they are also forced to set MFA.
We first thought its just a temporary issue so we manually removed the configured MFA from the user. But it reappears all the time.
Is this a known bug or are we doing something wrong? Any help is highly appreciated. Currently we are at version 1.46.0. I know that there are newer versions but i couldn't find anything MFA related in the changelogs.
Hello,
I appreciate your detailed explanation of the issue you’re facing with MFA (Multi-Factor Authentication) in FusionAuth. Let’s dive into this and see if we can find a solution.
First, let’s clarify a few points about MFA and FusionAuth:
MFA Overview Dog blog:
MFA, or Multi-Factor Authentication, is an approach that requires users to present two or more credentials (factors) during login. These factors can include something the user knows (like a password), something the user has (such as a one-time password), or something the user is (like a fingerprint or facial recognition).
Implementing MFA significantly enhances application security by adding an extra layer of protection.
MFA Compliance and Standards:
MFA is becoming a requirement for many organizations due to evolving regulatory standards and recommendations. For example:
The EU’s Payment Services Directive (PSD2) mandates “strong customer authentication” (SCA) for payment service providers.
The ENISA guidelines recommend MFA for accessing systems in the EU that process personal data.
The Payment Card Industry Data Security Standard (PCI-DSS) now requires MFA for US merchants and payment service providers.
The NIST Cybersecurity Framework and other regulations also emphasize MFA usage.
FusionAuth and MFA:
FusionAuth supports MFA through various methods, including Time-based One-Time Passwords (TOTP), email, and SMS.
Tenants can configure MFA methods explicitly, and applications can override some MFA settings.
FusionAuth also provides step-up authentication for sensitive actions.