| layout | title | category |
|---|---|---|
default |
CAS - Multifactor Authentication |
Multifactor Authentication |
{% include variables.html %}
CAS provides support for a variety of multifactor authentication providers and options, while allowing one to design their own. The secondary authentication factor always kicks in after the primary step and existing authentication sessions will be asked to step-up to the needed multifactor authentication factor, should the request or trigger require it. The satisfied authentication context is communicated back to the application as well to denote a successful multifactor authentication event.
At a minimum, you need answer the following questions:
- Which provider(s) are we using for multifactor authentication?
- How and for whom are we triggering multifactor authentication?
The following multifactor providers are supported by CAS.
| Provider | Id | Instructions |
|---|---|---|
| Duo Security | mfa-duo |
See this guide. |
| YubiKey | mfa-yubikey |
See this guide. |
| RSA/RADIUS | mfa-radius |
See this guide. |
| Google Authenticator | mfa-gauth |
See this guide. |
| FIDO2 WebAuthN | mfa-webauthn |
See this guide. |
| CAS Simple | mfa-simple |
See this guide. |
| Twilio | mfa-twilio |
See this guide. |
| Inwebo | mfa-inwebo |
See this guide. |
| Custom | Custom | See this guide. |
Microsoft has removed the ability for external SSO servers to use Azure MFA. To use Azure MFA, you must also have all your users authenticate using Azure AD SSO. You may want to route authentication requests to Azure AD SSO using the delegated authentication features of CAS.
{% include_cached casproperties.html properties="cas.authn.mfa.core" %}
Multifactor authentication can be activated via a number of triggers. To learn more, please see this guide.
Each multifactor provider is equipped with options to allow for MFA bypass. To learn more, please see this guide.
CAS will consult the current configuration in the event that the provider being requested is unreachable to determine how to proceed. To learn more, please see this guide.
There are options and controls available to allow CAS to select a multifactor authentication provider, in case multiple triggers and conditions activate multiple providers. To learn more, please see this guide.