Teleport Connect doesn't support fallback to OTP when Per-session MFA is enabled

Expected behavior:
When [Per-session MFA](https://goteleport.com/docs/admin-guides/access-controls/guides/per-session-mfa/) is enabled, there should be a way to fallback to OTP for Teleport Connect (when both "Hardware Key" and "Authenticator App" have been configured for a user)

Current behavior:
Teleport Connect only prompts for the "Hardware Key".

Bug details:
- Teleport version: 15.4.18
- Recreation steps
- Debug logs

In `tsh`, fallback to OTP is supported with the `--mfa-mode=otp` option. No such fallback seems available for Teleport Connect.

The documentation seems to indicate that it should be supported in both:

> OTP can only be used with per-session MFA when using `tsh` or Teleport Connect to establish connections. A hardware MFA key is required for using per-session MFA with Teleport's Web UI.

Ref. https://goteleport.com/docs/admin-guides/access-controls/guides/per-session-mfa/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Teleport Connect doesn't support fallback to OTP when Per-session MFA is enabled #46820

gabrielcossette
openedon Sep 20, 2024

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Teleport Connect doesn't support fallback to OTP when Per-session MFA is enabled #46820

Description

gabrielcossetteopenedon Sep 20, 2024

Metadata