Clarification on TOTP MFA Enforcement Behavior During New Identity Enrollment

Support
1

I’ve been testing MFA (TOTP) integration in my OpenZiti deployment and noticed some confusing behavior when enforcing TOTP in the default authentication policy.

Currently, I can manually enable MFA for each identity, which works fine—but with around 100–200 users, managing MFA individually becomes impractical.

To streamline this, I tried enabling TOTP MFA enforcement in the default authentication policy so that new identities are automatically required to use MFA during enrollment. However, when a new user enrolls, the Ziti Desktop Edge client skips the QR code or secret key display step and directly prompts for a TOTP code.

At that point, the user has no prior secret or authenticator app configured, so they’re effectively stuck.

Could you please clarify whether this is

  • The intended behavior (by design),

  • A known issue or bug, or

  • Is there any recommended workaround to enforce MFA automatically but still allow users to see the QR code for initial setup?

  • Also I dont see any option to implement MFA for Ziti mobile client

The goal is to have new users automatically prompted to set up MFA during their first enrollment—without needing per-user manual intervention.

2

Just need to know that, If it is intended to work like that and any workarounds to enforce MFA while enrolling.
@TheLumberjack

3

tinywow_openziti totp issue_85263535
This video is reference for how I force enable MFA for everyone using default config, and while I Enroll, It directly asks for TOTP code not the usual AUTHENTICATOR setup

4

Hi and thanks for letting us know about this. It definitely sounds like a bug in the macOS client. I’ll look into it early this week.

edit: your screen shots show the windows client, not macOS. Regardless, we’ll look into it.

1 Like
5

Thanks for the reply @scareything , lemme know if some progress happens regarding this, I'll appreciate it.

I also want to ask regarding, Ziti mobile client MFA? Bcs I can't find the option to enable it or is it a upcoming feature.

6

any updates on this??