TOTP MFA
Vault Enterprise license or HCP Vault Plus cluster required.
This page demonstrates the TOTP MFA on ACL'd paths of Vault.
Configuration
Enable the appropriate auth method:
Fetch the mount accessor for the enabled auth method:
The response will look like:
Configure TOTP MFA:
Note: Consider the algorithms supported by your authenticator. For example, Google Authenticator for Android supports only SHA1 as the value of
algorithm
.Create a policy that gives access to secret through the MFA method created above:
Create a user. MFA works only for tokens that have identity information on them. Tokens created by logging in using auth methods will have the associated identity information. Create a user in the
userpass
auth method and authenticate against it:Create a login token:
Note that the CLI is not authenticated with the newly created token yet, we did not call
vault login
, instead we used the login API to simply return a token.Fetch the entity ID from the token. The caller identity is represented by the
entity_id
property of the token:Generate TOTP method attached to the entity. This should be distributed to the intended user to be able to generate TOTP passcode:
Either the base64 encoded png barcode or the url should be given to the end user. This barcode/url can be loaded into Google Authenticator or a similar TOTP tool to generate codes.
Login as the user:
Read the secret, specifying the mfa flag: