**UPDATE** as of version 2022.9.0 of Authentik, Duo Push MFA NOW automatically registers new users' Duo devices into Authentik! The portion of this video where a new user enrollment first scans the QR code with the Duo app, visibly does nothing, and you have to close the QR code tab not only works and logs the user in now...but also the user's Duo Push device now registers in Authentik without having to use the Authentik API browser to manually register your users...
This is when you try to add Duo to an existing user after the fact correct? Does the stage work correctly with new user enrollment at least? If not, I'd start at fixing that first... I just tested mine with a test user that has TOTP already by going to the user's settings > MFA Devices > Enroll > Duo Authenticator and scanning the QR code. Now this test user can choose either TOTP or Duo at login...for further help, post in the discord with maybe your log (redacted) so others can chime in...
Thank you very much for your series tutorial on Authentik. Using 2023.10.5, it gets much easier to enroll Duo now. Create username in authentik, then in Duo account. Then go to the Stage and select Duo, there should be a button to import user.
Thanks for the amazing series. Can you please do an updated version for the duo account? Becase this is not actual with the lattest version of authentik and lattest changes on duo security. Thanks
Thanks for the video! Is there a way to make TOTP required for users with a certain role, like admin? Also, I'm missing in your instructions kinda intermediary description of what are you intending to do. For example, say you're setting up enrollment and then you go straight to clicking the interface. If you first say we need such-n-such flows with such-n-such steps, it would be easier to follow, bacause then when you're clicking thru the interface, we'd already know what you're intending to do there. Thanks again!
You're welcome. You can write a policy that checks the role of a user and if the policy check is true, proceed to MFA (negate the result if needed). And I'll keep that feedback in mind if I make another authentik video.
Thanks a bunch for this guide. I used it and everything works great. I tried adding it to source authentication as well, but it doesn't seem to work. It prompts for the MFA code, but if you navigate back and then forward again, it bypasses the code.
...as in it bypasses prompting you again or bypass as in allows straight login? May need to bring it up with the dev in discord or their github. Also, for the policy try the option to 'Evaluate when stage is run' if not already set.
@@cooptonian so if I login with Google OAuth, it will prompt me for my TOTP code, but if I navigate back to the OAuth without entering the TOTP code and redo the OAuth, it will send me straight in without prompting me for the TOTP code. I'll put an issue in on GitHub.
You're welcome, glad they've been helpful. The MFA recovery keys is the static tokens option, so if you enabled that you will get a list of tokens/codes (to keep somewhere safe) and so at the MFA prompt, choose static tokens and enter any of those codes if MFA device is ever lost or whatever.
Your videos are great and allow me to move away from authelia. I'm currently struggling with using Authentik as LDAP. A video on that would be helpful when you have the time. I've created the provider, application, and outpost. The outpost creation automatically created a seperate docker container which looks like it's running fine. Nextcloud isn't connecting correctly though, and I suspect I did something wrong in Authentik.
That's awesome, glad they are of help...for LDAP, have you tried checking the discord? A user in there by the name of Hooray4Rob seems to have it setup and working for his purpose... In any case, I may eventually do an LDAP video but there's not ETA on that as I don't personally use it...
thanks! Wow, the Duo setup is tedious. I think I would just set this up for my user. I've got everthing else setup (and working) using docker-compose. I am kicking myself for trying it there first... I recently got my kubernetes cluster up and fully functioning. I know they have a helm chart to install Authentik, but there is not easy way to backup and move it over. I'll probably have to do a fresh install via helm and re-configure. Thanks again for this!
You're welcome...yeah I thought it was tedious also; I wish it was as simple as the TOTP setup but the dev documented it had to do with how the Duo API works.
@@cooptonian is there an easy way to change the label for the auth options? The users I would have using it (friends/family) don't understand things like TOTP :) ... like just making it say Authenticator App
Yeah, just change the Name of the stage. For instance, mine says default-authenticator-totp-setup | TOTP Authenticator Setup Stage, so the default-authenticator-totp-setup part can be changed to whatever you want it to say, the 2nd part can't since it literally is the stage type (you know from when you click Create when creating a new stage)
@@cooptonian Awesome... did you ever figure out how to change the button txt on the recovery email page from "Log in" to something that makes more sense?
No, however, if we know which HTML file it is within the docker container, it can simply be edited to say whatever (as long as it isn't a linked file where it is shared with, for instance, the main login page because then that would also change). You can see for yourself by inspecting the button in the browser and find the string "Log in" and change that to whatever and it will reflect in your current browser session. ...submitted a Github issue regarding the text in the button for dev to hopefully address in the next release: github.com/goauthentik/authentik/issues/3589
How do you disable enrollment? There is a risk when adding logging in with oauth, for example google, as you always can login with a valid google account and then just create a username and you are in. Cannot see anywhere where you can disable user creation
...first you'd want to add a deny stage at top of your enrollment flow. Then if you want to remove it from the main page, update your identification stage under flow settings and be sure to remove the enrollment flow...
Thanks for your great videos. I have a question is it possible to set this up so that if the user has configured more than one MFA (for example TOTP and DUO) that the user is asked for the password of which MFA he wants to use?
@@cooptonian I have activated WebAuthn Device, TOTP Authenticator and Static Token in my test account. After I have entered my user and password, I am asked directly for the TOTP. I have selected all devices for default-authentication-mfa-validation. Update: I have just seen that there is a button underneath labeled: "Return to device picker" if I press it I am logged in directly without using an MFA method.
Hi, thanks you for your explanation ! Is it possible to force fews group who have to connect with MFA, and maybe one or two who no needs ? For exemple, i would like to admin groups have to connect with mfa like webauth or duo, but i would like to normal user will be connected how he want. Thanks for your help :)
I got it work with TOTP awsome thank you for the video. I was trying to get it to work with a yubikey but it keeps on saying the entered code is wrong even though it was setup as requested. Any ideas 💡?
...you're welcome. As for Yubikey, I don't have one so I can't comment on that particular setup; did you ask someone else in the discord that might have a similar setup?
Hayseuss Christ .... you need a Master's Degree to get this all setup. Their website motto is "Making authentication simple.". I zoned out halfway through over my morning coffee watching this, lol. Think I'll stick with Authelia.
LOL...ha ha, yeah some stuff can be tedious...the Duo part is, relatively, much simpler now (which I believe I either pinned or updated in description)
I am not sure what you mean as this video demonstrates that... Authentik is what serves 2FA/MFA (for your case TOTP). Once confirmed the app loads... So if properly setup, you will be served with TOTP prompt either trying to load the Authentik dashboard or a self-hosted app (if you've set up the app proxy or forward auth). If you haven't setup up your app with the code snippet to use Authentik I highly recommend checking out my application setup video. I hope that makes sense...
Hi, thanks for fast answer. Please forgive me but I'm newbie with that and that don't make sense for me. I have emby server with Nginx Proxy Manager exposed on web and I don't want users who login to Emby knows my password for Authentik. I want to add TOTP authorisation for Emby.
I found maybe a bug: If I select both authentication methods TOTP and DUO, and I manually add a user, set the password. The user that I manually created, once login, will be presented with a blank windows. Two authentication options are still there (move the mouse over it will change to a hand icon) but was not displayed properly. This happens to Authentik version 2023.10.5... Any idea?
Hi Cooptonian, your guides are great! I'm having trouble setting up a YubiKey authenticator. Maybe it's an idea to make a video of this too :) Thanks for the great work!
Thanks, I appreciate it! I am not sure what trouble you're having...if the YubiKey option isn't showing up I'd say try a different browser (if the issue is similar to what some have experienced with WebAuthn not working as expected on Firefox vs Chrome). I don't have a YubiKey...but if I did, I'd definitely look into it... Also, you might want to join and ask in the discord if you haven't already.
hey I setup TFA like this and it works, but I want to change from google authentication to authy, the login page asks my username and password and then asks for tfa, but no option to regenerate the tfa qr? how do I switch TFA ?
Duo is much easier to implement now vs the video I release. In any case, to add another MFA method, that user has to log into their account, goto settings, MFA devices and enroll a new method...
Thanks! Random, but I'm mostly just curious, is it possible to do a flow like cloudflared email based otp? My thought is to do an identification stage, then an email stage to clock the link to login.... I tried messing with it, but couldn't get it to work. It's academic just to play with stages and flows
...you can change what the choices say by changing the names (the hyphenated name), however, the description underneath these are baked in as device classes...so those may need to be edited from source.
...you use the tentants if you have multiple domains where you want your configurations to behave differently based on a particular domain that is accessed (goauthentik.io/docs/tenants).
...not exactly sure what you mean. In a single tenant you can have various/different providers (proxy [simple, forward-auth, forward-auth domain level], ldap, oauth...etc), apps are up to you as to what you want accessed, users...have as many as you want but can't be existing already/conflicting, and have whatever groups you want (admins, users, restricted, finance, helpdesk...etc.)
yes... access from public internet > hits your reverse proxy OR authentik simple proxy > where authentik's outpost directs to > provider auth method > to app... Providers and applications have 1:1 relationship (so each app needs a provider), all these relationships can use the same outpost. If it is a fairly simple environment, all can use the embedded outpost.
Hey thanks! Yeah my pinned comment says the newer authenik versions no longer need the part of the video where it uses the API browser stuff...so should be quicker/easier.
**UPDATE** as of version 2022.9.0 of Authentik, Duo Push MFA NOW automatically registers new users' Duo devices into Authentik!
The portion of this video where a new user enrollment first scans the QR code with the Duo app, visibly does nothing, and you have to close the QR code tab not only works and logs the user in now...but also the user's Duo Push device now registers in Authentik without having to use the Authentik API browser to manually register your users...
I wish I could do this but when getting the user to choose Settings > MFA > Enroll > Duo I get an invalid stage error in the logs :(
This is when you try to add Duo to an existing user after the fact correct? Does the stage work correctly with new user enrollment at least? If not, I'd start at fixing that first... I just tested mine with a test user that has TOTP already by going to the user's settings > MFA Devices > Enroll > Duo Authenticator and scanning the QR code. Now this test user can choose either TOTP or Duo at login...for further help, post in the discord with maybe your log (redacted) so others can chime in...
thanks for this update, I have finally got the Duo Push working.
Thank you very much for your series tutorial on Authentik. Using 2023.10.5, it gets much easier to enroll Duo now. Create username in authentik, then in Duo account. Then go to the Stage and select Duo, there should be a button to import user.
And you do not need to search for API and all the stuff? Do you have any documentation to see exactly how can I add duo with 2024 authentik version ?
Thanks for the amazing series. Can you please do an updated version for the duo account? Becase this is not actual with the lattest version of authentik and lattest changes on duo security. Thanks
Thanks for the video!
Is there a way to make TOTP required for users with a certain role, like admin?
Also, I'm missing in your instructions kinda intermediary description of what are you intending to do. For example, say you're setting up enrollment and then you go straight to clicking the interface. If you first say we need such-n-such flows with such-n-such steps, it would be easier to follow, bacause then when you're clicking thru the interface, we'd already know what you're intending to do there.
Thanks again!
You're welcome. You can write a policy that checks the role of a user and if the policy check is true, proceed to MFA (negate the result if needed). And I'll keep that feedback in mind if I make another authentik video.
Thank you, thank you, thank you! This was very informative.
You are welcome! Glad it was helpful!
We are implementing MFA via Active Directory which we want to include all our apps and have integration with the Microsoft Authenticator app.
Thanks a bunch for this guide. I used it and everything works great. I tried adding it to source authentication as well, but it doesn't seem to work. It prompts for the MFA code, but if you navigate back and then forward again, it bypasses the code.
...as in it bypasses prompting you again or bypass as in allows straight login? May need to bring it up with the dev in discord or their github. Also, for the policy try the option to 'Evaluate when stage is run' if not already set.
@@cooptonian so if I login with Google OAuth, it will prompt me for my TOTP code, but if I navigate back to the OAuth without entering the TOTP code and redo the OAuth, it will send me straight in without prompting me for the TOTP code.
I'll put an issue in on GitHub.
Hi, thank you so much for your videos on Authentik, they've been very helpful. How would you go about implementing MFA recovery keys?
You're welcome, glad they've been helpful. The MFA recovery keys is the static tokens option, so if you enabled that you will get a list of tokens/codes (to keep somewhere safe) and so at the MFA prompt, choose static tokens and enter any of those codes if MFA device is ever lost or whatever.
Your videos are great and allow me to move away from authelia. I'm currently struggling with using Authentik as LDAP. A video on that would be helpful when you have the time. I've created the provider, application, and outpost. The outpost creation automatically created a seperate docker container which looks like it's running fine. Nextcloud isn't connecting correctly though, and I suspect I did something wrong in Authentik.
That's awesome, glad they are of help...for LDAP, have you tried checking the discord? A user in there by the name of Hooray4Rob seems to have it setup and working for his purpose... In any case, I may eventually do an LDAP video but there's not ETA on that as I don't personally use it...
When i try to setup a duo push device it gives me this error: "No variant of ChallengeTypes exists with 'component=undefined'"
Ok, seems like you get this error if you the username is already in use within DUO
thanks! Wow, the Duo setup is tedious. I think I would just set this up for my user. I've got everthing else setup (and working) using docker-compose. I am kicking myself for trying it there first... I recently got my kubernetes cluster up and fully functioning. I know they have a helm chart to install Authentik, but there is not easy way to backup and move it over. I'll probably have to do a fresh install via helm and re-configure.
Thanks again for this!
You're welcome...yeah I thought it was tedious also; I wish it was as simple as the TOTP setup but the dev documented it had to do with how the Duo API works.
@@cooptonian is there an easy way to change the label for the auth options? The users I would have using it (friends/family) don't understand things like TOTP :) ... like just making it say Authenticator App
Yeah, just change the Name of the stage. For instance, mine says default-authenticator-totp-setup | TOTP Authenticator Setup Stage, so the default-authenticator-totp-setup part can be changed to whatever you want it to say, the 2nd part can't since it literally is the stage type (you know from when you click Create when creating a new stage)
@@cooptonian Awesome... did you ever figure out how to change the button txt on the recovery email page from "Log in" to something that makes more sense?
No, however, if we know which HTML file it is within the docker container, it can simply be edited to say whatever (as long as it isn't a linked file where it is shared with, for instance, the main login page because then that would also change). You can see for yourself by inspecting the button in the browser and find the string "Log in" and change that to whatever and it will reflect in your current browser session.
...submitted a Github issue regarding the text in the button for dev to hopefully address in the next release: github.com/goauthentik/authentik/issues/3589
How do you disable enrollment? There is a risk when adding logging in with oauth, for example google, as you always can login with a valid google account and then just create a username and you are in. Cannot see anywhere where you can disable user creation
...first you'd want to add a deny stage at top of your enrollment flow. Then if you want to remove it from the main page, update your identification stage under flow settings and be sure to remove the enrollment flow...
i love your videos! a video about using SMS 2FA using Twilio would be amazing!
Thanks for your great videos. I have a question is it possible to set this up so that if the user has configured more than one MFA (for example TOTP and DUO) that the user is asked for the password of which MFA he wants to use?
...not sure I understand; if you have multiple MFA set up, it should prompt you with a screen of MFA choices that you've registered...
@@cooptonian I have activated WebAuthn Device, TOTP Authenticator and Static Token in my test account. After I have entered my user and password, I am asked directly for the TOTP. I have selected all devices for default-authentication-mfa-validation.
Update: I have just seen that there is a button underneath labeled: "Return to device picker" if I press it I am logged in directly without using an MFA method.
...that doesn't seem right...if you found a bug, please bring it up with the dev in discord or github issue.
Hi, thanks you for your explanation ! Is it possible to force fews group who have to connect with MFA, and maybe one or two who no needs ? For exemple, i would like to admin groups have to connect with mfa like webauth or duo, but i would like to normal user will be connected how he want. Thanks for your help :)
...I believe you can by using Groups. For more info start up a chat in the discord.
I got it work with TOTP awsome thank you for the video.
I was trying to get it to work with a yubikey but it keeps on saying the entered code is wrong even though it was setup as requested. Any ideas 💡?
...you're welcome. As for Yubikey, I don't have one so I can't comment on that particular setup; did you ask someone else in the discord that might have a similar setup?
@@cooptonian yes unfortunately did not get an answer yet. Will wait it out then
Anyway to bind mfa to groups instead? for example I rather have an MFA-Enabled group that I assign to users
...yeah you can probably do this with an expression policy (kind of the same method as my MFA bypass if on LAN video)
Hayseuss Christ .... you need a Master's Degree to get this all setup. Their website motto is "Making authentication simple.". I zoned out halfway through over my morning coffee watching this, lol. Think I'll stick with Authelia.
LOL...ha ha, yeah some stuff can be tedious...the Duo part is, relatively, much simpler now (which I believe I either pinned or updated in description)
Nice video man.
Thanks!
Hi, is there guide to add TOTP to selfhosted app from Nginx Proxy Manager?
I am not sure what you mean as this video demonstrates that... Authentik is what serves 2FA/MFA (for your case TOTP). Once confirmed the app loads... So if properly setup, you will be served with TOTP prompt either trying to load the Authentik dashboard or a self-hosted app (if you've set up the app proxy or forward auth). If you haven't setup up your app with the code snippet to use Authentik I highly recommend checking out my application setup video. I hope that makes sense...
Hi, thanks for fast answer. Please forgive me but I'm newbie with that and that don't make sense for me. I have emby server with Nginx Proxy Manager exposed on web and I don't want users who login to Emby knows my password for Authentik. I want to add TOTP authorisation for Emby.
I've also messaged you in the discord chat
I found maybe a bug: If I select both authentication methods TOTP and DUO, and I manually add a user, set the password. The user that I manually created, once login, will be presented with a blank windows. Two authentication options are still there (move the mouse over it will change to a hand icon) but was not displayed properly. This happens to Authentik version 2023.10.5... Any idea?
No, I would recommend trying in an incognito window OR better yet a different browser to make sure it isn't a rendering issue...
Hi Cooptonian, your guides are great! I'm having trouble setting up a YubiKey authenticator. Maybe it's an idea to make a video of this too :)
Thanks for the great work!
Thanks, I appreciate it! I am not sure what trouble you're having...if the YubiKey option isn't showing up I'd say try a different browser (if the issue is similar to what some have experienced with WebAuthn not working as expected on Firefox vs Chrome). I don't have a YubiKey...but if I did, I'd definitely look into it... Also, you might want to join and ask in the discord if you haven't already.
hey I setup TFA like this and it works, but I want to change from google authentication to authy, the login page asks my username and password and then asks for tfa, but no option to regenerate the tfa qr? how do I switch TFA ?
...you will have to login as the user, then go into the user settings and enroll another 2FA/MFA method...
I only see "Partner Auth API" in Duo. There isn't a "Auth API"
Yes, Duo has changed/updated...it is now labeled "Partner Auth API"
If I follow the instructions for totp how exactly would I go about adding duo to an existing user that has totp enabled?
Duo is much easier to implement now vs the video I release. In any case, to add another MFA method, that user has to log into their account, goto settings, MFA devices and enroll a new method...
Thanks! Random, but I'm mostly just curious, is it possible to do a flow like cloudflared email based otp? My thought is to do an identification stage, then an email stage to clock the link to login.... I tried messing with it, but couldn't get it to work. It's academic just to play with stages and flows
Great job!
Thanks!
The choices tab for the authenticators at 10:18 is kinda ugly, is there a way to make this better?
...you can change what the choices say by changing the names (the hyphenated name), however, the description underneath these are baked in as device classes...so those may need to be edited from source.
How can I set the 2FA for an existing user, for example akadmin ?
log in as admin, Directory > Users, Impersonate the user you want, Settings, MFA Devices, Enroll...
thanks for creating such a content, how the tenants work, i got confused ?
...you use the tentants if you have multiple domains where you want your configurations to behave differently based on a particular domain that is accessed (goauthentik.io/docs/tenants).
@@cooptonian sounds good, thanks.
is there any way where we can have separate providers, apps, users and groups in individual tenant?
...not exactly sure what you mean. In a single tenant you can have various/different providers (proxy [simple, forward-auth, forward-auth domain level], ldap, oauth...etc), apps are up to you as to what you want accessed, users...have as many as you want but can't be existing already/conflicting, and have whatever groups you want (admins, users, restricted, finance, helpdesk...etc.)
@@cooptonian sorry for the confusion,
Actually, I mean, can we have providers or apps in a tenant?
yes...
access from public internet > hits your reverse proxy OR authentik simple proxy > where authentik's outpost directs to > provider auth method > to app...
Providers and applications have 1:1 relationship (so each app needs a provider), all these relationships can use the same outpost. If it is a fairly simple environment, all can use the embedded outpost.
Duo Push, I’m in.
cool! 👌👍
thanks!
You bet!
Can Authentik support a free provider of push notifications? Duo is not for free.
yes, webauthn/passkey...you attempt to login and you will prompted to verify biometrics on your mobile device...
@@cooptonianThank you for replying!
Hello /api/v3/stages/all do not exist ^^ on 2023.3.1 😞 But tank you for videos, this is juste incredible I like !!!
propably the api as changed. Google 2FA work fine, but Duo (I have with Authelia) is hard on new version of Authentik.
Hey thanks! Yeah my pinned comment says the newer authenik versions no longer need the part of the video where it uses the API browser stuff...so should be quicker/easier.
@@cooptonian Thanks, work great ! Many thanks for you videos ! Have a nice day.