yahoo-eng-team team mailing list archive

[David Seelbach <2125042@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Description

If a user’s multi_factor_auth_rules option includes an invalid or undefined authentication method, Keystone disables all MFA enforcement for that user.
This occurs even when other rules are valid. The effect is that a misconfiguration (or typo) silently downgrades authentication strength from MFA to single-factor without warning.

Steps to Reproduce

1. Create a user with MFA enabled:

openstack user create mfa-user --domain default \
    --password secret --enable

2. Set MFA options including an invalid method:

openstack user set mfa-user \
    --multi-factor-auth-enabled \
    --multi-factor-auth-rule password totp \
    --multi-factor-auth-rule nonsense
(where nonsense is not a valid auth method)

3. Attempt to authenticate as that user using only the password:

openstack --os-username mfa-user --os-password secret --os-auth-url
<URL> token issue


Expected Behavior

Keystone should reject invalid MFA rules at user configuration time.
Alternatively, Keystone should ignore the invalid rule but still enforce valid ones.
At minimum, a clear error should be logged and MFA enforcement should not be silently disabled.


Actual Behavior

Keystone accepts the invalid MFA rule.
MFA enforcement is completely disabled for that user.
Users can authenticate with a single factor, bypassing MFA.
Example Output

openstack user show mfa-user
...
| options             | {'multi_factor_auth_enabled': True,
|                       'multi_factor_auth_rules': [['password', 'totp'], ['nonsense']]} |
Even with multi_factor_auth_enabled=True, authentication works with password only.


Environment

Keystone version: 2025.1 (27.0.0)
OS: Rocky Linux 9


Security Impact

High — invalid configuration silently disables MFA protection, exposing
accounts to weaker authentication.

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: auth mfa

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2125042

Title:
  Keystone disables MFA enforcement if multi_factor_auth_rules for a
  user contains an invalid/unknown method

Status in OpenStack Identity (keystone):
  New

Bug description:
  Description

  If a user’s multi_factor_auth_rules option includes an invalid or undefined authentication method, Keystone disables all MFA enforcement for that user.
  This occurs even when other rules are valid. The effect is that a misconfiguration (or typo) silently downgrades authentication strength from MFA to single-factor without warning.

  Steps to Reproduce

  1. Create a user with MFA enabled:

  openstack user create mfa-user --domain default \
      --password secret --enable

  2. Set MFA options including an invalid method:

  openstack user set mfa-user \
      --multi-factor-auth-enabled \
      --multi-factor-auth-rule password totp \
      --multi-factor-auth-rule nonsense
  (where nonsense is not a valid auth method)

  3. Attempt to authenticate as that user using only the password:

  openstack --os-username mfa-user --os-password secret --os-auth-url
  <URL> token issue

  
  Expected Behavior

  Keystone should reject invalid MFA rules at user configuration time.
  Alternatively, Keystone should ignore the invalid rule but still enforce valid ones.
  At minimum, a clear error should be logged and MFA enforcement should not be silently disabled.

  
  Actual Behavior

  Keystone accepts the invalid MFA rule.
  MFA enforcement is completely disabled for that user.
  Users can authenticate with a single factor, bypassing MFA.
  Example Output

  openstack user show mfa-user
  ...
  | options             | {'multi_factor_auth_enabled': True,
  |                       'multi_factor_auth_rules': [['password', 'totp'], ['nonsense']]} |
  Even with multi_factor_auth_enabled=True, authentication works with password only.

  
  Environment

  Keystone version: 2025.1 (27.0.0)
  OS: Rocky Linux 9

  
  Security Impact

  High — invalid configuration silently disables MFA protection,
  exposing accounts to weaker authentication.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2125042/+subscriptions