SQRL Auth + DUO MFA


pukka

New member
Feb 6, 2020
3
0
Hello Friends,

I've been playing with SQRL login on a personal WP site. In addition to SQRL and regular username/pw login, I have Cisco DUO active to provide Multi-Factor authentication. This works beautifully, with SQRL performing primary auth followed by DUO for secondary auth. The only hang up is when using SQRL's "Request only SQRL login" function to disable user/pw authentication.

After enabling "Request only SQRL login" , SQRL login succeeds as expected and DUO prompt is shown for second factor authenication. After performing DUO auth, I am kicked back to the login screen with an "only SQRL is allowed for login" message. I expect that the DUO plugin is detected as a separate login event, leading to this error. Is there any way around this? I realize that MFA is not as critical when using SQRL, but it would still be nice to have. I suspect that other administrators will be looking to implement similar functionality as SQRL grows in popularity.
 

PHolder

Well-known member
May 19, 2018
1,225
205
This sounds like you would need a configuration in the plug-in to say which other authentication plug-ins are allowed, assuming such info is available between plugin-ins.
 

pukka

New member
Feb 6, 2020
3
0
That's what I was thinking as well. Would like to hear a developer weigh in. Is it technically possible? Would implementing such a feature break the spec?
 

Sithmagic

Well-known member
Oct 12, 2019
76
21
I suspect that the problem will be found such that with sqrl only login, the username password auth process is being checked by the 2nd factor and it can't because it has been disabled. These requests should go via a wrapper to indicate that the first part of 2 factor is ok - even "if then else" logic would do. This would be part of the servers auth code and outside SQRL, so won't change the spec.
 

kalaspuffar

Well-known member
May 19, 2018
296
106
Sweden
coderinsights.com
Hi @pukka

Well, I don't use 2-factor myself so I don't really know how this affects the login flow. But my main concern is that communication between plugins is tricky and we are not going to solve all issues that might arise. I'll look into it and see if this might be a general issue with 2F login.

I might try with a google authenticator for instance and see if that works.

Best regards
Daniel