By: Jason Hamilton user 02 Jan 2019 at 5:47 p.m. CST

3 Responses
Jason Hamilton gravatar
I tested U2F by setting Default acr to u2f and then by tapping my google titan key on login and it works exactly as expected. My question is whether U2F can be enabled for only some users? Example, would be how Google Apps offers users to be able to opt-in to MFA but doesn't necessarily require it. Thanks, Jason

By Aliaksandr Samuseu staff 03 Jan 2019 at 11:24 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Jason. Should be possilble, by rewritting the corresponding custom script, making it to check some attribute on an user entry, and skip the 2nd step if they are excluded from U2F - as the simplest solution (not without a drawback). Unfortunately, we can't afford providing support for such complex topics to our Community (free) users, so you'll have to do some research yourself, and write the code. Studying the existing custom scripts would be a good start.

By William Lowe staff 04 Jan 2019 at 4:10 a.m. CST

William Lowe gravatar
Hi Jason, The short answer is yes, it's possible. There are a couple important considerations: 1. Enforcing 2FA for specific users -- which users get 2FA, which do not? 2. 2FA credential enrollment -- how do users who want 2FA enroll and manage their credentials and auth settings, i.e. turn 2FA on & off? For number one , you can write and add custom [interception scripts](https://gluu.org/docs/ce/authn-guide/intro/#authentication-interception-scripts) to your Gluu Server to define the logic. For example, take a look at this sample interception script that implements Duo for 2FA: https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/duo/DuoExternalAuthenticator.py#L41 In line 41 of the script it specifies that if user is part of the Duo group, prompt for 2FA. Else let the user through with simple PW authentication. This is OK for an enterprise that manages user groups and credentials/devices, but not so good for customer facing services. So you need a way to give people the ability to enroll and manage their 2FA credentials, and also turn 2FA on and off. In fact, we're just about to release a new product that will help you roll this out called [Gluu Casa](https://gluu.org/docs/casa/). Note: the packages are stilling being QA'd and are not ready for deployment, but will be this month. Casa includes interception scripts that help route the proper authentication strategies, and also user interfaces for admins and end-users to enroll and manage their 2FA devices, and also set proper policies around 2FA. Casa will be commercial software though. If you'd like to discuss and see a demo, feel free to [schedule a call](https://gluu.org/booking). Hope that helps get you oriented around how you might go about achieving this type of solution. Cheers, Will

By Jason Hamilton user 07 Jan 2019 at 8:53 a.m. CST

Jason Hamilton gravatar
That's amazing Wiliam! Thank you so much for your help. I'm looking forward to reviewing the capabilities of Casa when it's released.