Hi!
Trying to test the MFA TOTP so I set up a new auth policy as such:
{
"name": "TOTP MFA ",
"primary": {
"cert": {
"allowExpiredCerts": true,
"allowed": true
},
"extJwt": {
"allowed": true,
"allowedSigners": []
},
"updb": {
"allowed": true,
"lockoutDurationMinutes": 0,
"maxAttempts": 5,
"minPasswordLength": 5,
"requireMixedCase": false,
"requireNumberChar": false,
"requireSpecialChar": false
}
},
"secondary": {
"requireTotp": true
},
"tags": {}
}
Created a new identity, assigned the auth policy to it, downloaded said identity and added it to my ZDEW and it looked like this:
Then clicked the Authenticate button and got the following:
I seem to be missing the code so I could add it to my authenticator app.
Any ideas how to solve this?
Also can't remove the identity since it asks me to
Thanks!
Controller: v1.6.7
ZAC: 3.11.2
ZDEW:2.7.3.1
Hi @montwepa,
It could not have looked like this. Are you absolutely sure? 
I ask because that's highly abnormal. I suppose maybe it's possible you downloaded an identity like this before?
ALL identities will look like this on the first time you enroll them:
Notice there is no lock icon and the MFA is not set to true. The only way MFA is set to true is after you have clicked that icon, entered your MFA code and then presumably saved the digits somewhere. From that screenshot, I would think you have already gone through that process.
At this point that identity is properly hosed. If you don't have the code from the MFA enabling process and if you didn't keep the backup codes, there's nothing to be done but reset MFA on that identity using the ZAC.
Here's what the flow should look like:
To reset MFA in ZAC you can go to the identity find it and :
Oh and yeah to remove it will be hard now. I will talk to the team and if we agree, I'll file a bug to fix that since it won't let you remove the identity without the MFA code. We might keep this as a pain though since you really should have to have the mfa code to actually remove it without being an administrator.... To remove it you will need to:
- Stop the ZDEW using the big green button
- delete the json/identity file at
C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry that represents the test identity
- start the ZDEW
Hi!
Thanks for the response.
I am sure! Video (or gif) proof below.
I did try TOTP once some time ago and it worked then. I added that identity to my authenticator app but have since removed said identity from my ZDEW. But I do still have the codes for that identity in my authenticator app.
Here's a video example of the flow I experience with a new identity:
Also I was able to remove the other identities by deleting the JSON files, thanks!
I tried creating a identity with the default auth policy and I was able to get the QR-code when clicking the "Multi Factor Auth" so that leads to me to think there something wrong with the auth policy I created. The only thing different from the default auth policy is the fact that Require TOTP
is set to true.
For your identities did you use the default auth policy or one that requires TOTP?
Ah. Thanks for the extra info and gif. i definitely used the default policy. I'll try again with a different policy. That flow you showed is definitely wrong. I'll try this first thing today and see if i can get a fix out ASAP assuming i can reproduce (i expect I'll be able to)
New Identity with TOTP required cannot enable MFA · Issue #877 · openziti/desktop-edge-win · GitHub is filed. I want to fix this today. I'll push it out to the beta and latest channels and possibly the stable branch, but we just had a push to stable so I'm not sure if it'll land there yet. You can configure the steam in Main Menu -> Advanced -> Settings -> Configure Automatic Upgrades -> use either https://get.openziti.io/zdew/beta.json or https://get.openziti.io/zdew/latest.json (not https://get.openziti.io/zdew/stable.json)
I'll follow up when it's complete
The fix will was rolled out to beta. You can install 2.7.4.0 from Release 2.7.4.0 · openziti/desktop-edge-win · GitHub
example gif:
