Login MFA FAQ
This FAQ section contains frequently asked questions about the Login MFA feature.
- Q: What are the various MFA workflows that are available to me as an OpenBao user and how are they different?
- Q: What is Single-Phase MFA vs. Two-Phase MFA?
- Q: What are the ways to configure the various MFA workflows?
- Q: What MFA mechanism is used with the different MFA workflows in OpenBao
- Q: I use the OpenBao Agent. Does MFA pose any challenges for me?
Q: what are the various MFA workflows that are available to me as an OpenBao user and how are they different?
| MFA workflow | What does it do? | Who manages the MFA? |
|---|---|---|
| Login MFA | MFA in OpenBao provides MFA on login. CLI, API, and UI-based login are supported. | MFA is managed by OpenBao |
| Okta Auth MFA | This is MFA as part of Okta Auth method in OpenBao, where MFA is enforced by Okta on login. MFA must be satisfied for authentication to be successful. This is different from the Okta MFA method used with Login MFA. CLI/API login are supported. | MFA is managed externally by Okta |
Q: what is Single-Phase MFA vs. Two-Phase MFA?
- Single-Phase MFA: This is a single request mechanism where the required MFA information, such as MFA method ID, is provided via the X-Vault-MFA header in a single MFA request that is used to authenticate into Openbao.
warning
Note: If the configured MFA methods need a passcode, it needs to be provided in the request, such as in the case of TOTP or Duo. If the configured MFA methods, such as PingID, Okta, or Duo, do not require a passcode and have out of band mechanisms for verifying the extra factor, Openbao will send an inquiry to the other service's APIs to determine whether the MFA request has yet been verified.
- Two-Phase MFA: This is a two-request MFA method that is more conventionally used.
- The MFA passcode required for the configured MFA method is not provided in a header of the login request that is MFA-restricted. Instead, the user first authenticates to the auth method, and on successful authentication to the auth method, an MFA requirement is returned to the user. The MFA requirement contains the MFA RequestID and constraints applicable to the MFA as configured by the operator.
- The user then must make a second request to the new endpoint
sys/mfa/validate, providing the MFA RequestID in the request, and an MFA payload which includes the MFA methodIDs passcode (if applicable). If MFA validation passes, the new Openbao token will be persisted and returned to the user in the response, just like a regular Openbao token created using a non-MFA-restricted auth method.
Q: what are the ways to configure the various MFA workflows?
| MFA workflow | Configuration methods | Details |
|---|---|---|
| Login MFA | CLI/API | Configured using the identity/mfa/method endpoints, then passing those method IDs to the identity/mfa/login-enforcement endpoint. MFA methods supported: TOTP, Okta, Duo, PingID. |
| Okta Auth MFA | CLI/API | MFA methods supported: TOTP , Okta Verify Push. |
Q: which MFA mechanism is used with the different MFA workflows in OpenBao?
| MFA workflow | UI | CLI/API | Single-Phase | Two-Phase |
|---|---|---|---|---|
| Login MFA | Supported | Supported. You can select single-phase MFA by supplying the X-Vault-MFA header. In the absence of this header, the Two- Phase MFA is used | N/A | Supported |
| Okta Auth MFA | N/A | N/A | MFA is not managed by OpenBao | MFA is not managed by OpenBao |
Q: i use the OpenBao agent. does MFA pose any challenges for me?
The OpenBao Agent should not use MFA to authenticate to OpenBao; it should be able to relay requests with MFA-related headers to OpenBao successfully.