gravitational · Joerger · Sep 12, 2024 · Sep 12, 2024 · Sep 12, 2024 · Sep 30, 2024
diff --git a/api/client/webclient/webclient.go b/api/client/webclient/webclient.go
@@ -401,7 +401,7 @@ type AuthenticationSettings struct {
 	// PreferredLocalMFA is a server-side hint for clients to pick an MFA method
 	// when various options are available.
 	// It is empty if there is nothing to suggest.
-	PreferredLocalMFA constants.SecondFactorType `json:"preferred_local_mfa,omitempty"`
+	PreferredLocalMFA string `json:"preferred_local_mfa,omitempty"`
 	// AllowPasswordless is true if passwordless logins are allowed.
 	AllowPasswordless bool `json:"allow_passwordless,omitempty"`
 	// AllowHeadless is true if headless logins are allowed.

diff --git a/api/client/webclient/webconfig.go b/api/client/webclient/webconfig.go
@@ -191,7 +191,7 @@ type WebConfigAuthSettings struct {
 	// PreferredLocalMFA is a server-side hint for clients to pick an MFA method
 	// when various options are available.
 	// It is empty if there is nothing to suggest.
-	PreferredLocalMFA constants.SecondFactorType `json:"preferredLocalMfa,omitempty"`
+	PreferredLocalMFA string `json:"preferredLocalMfa,omitempty"`
 	// LocalConnectorName is the name of the local connector.
 	LocalConnectorName string `json:"localConnectorName,omitempty"`
 	// PrivateKeyPolicy is the configured private key policy for the cluster.

diff --git a/api/constants/constants.go b/api/constants/constants.go
@@ -191,6 +191,7 @@ var SystemConnectors = []string{
 }
 
 // SecondFactorType is the type of 2FA authentication.
+// Deprecated: Use types.SecondFactorType
 type SecondFactorType string
 
 const (

diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -2099,6 +2099,20 @@ message AuthPreferenceSpecV2 {
   // SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster.
   // The current default value is "legacy". This field is not yet fully supported.
   SignatureAlgorithmSuite signature_algorithm_suite = 20;
+
+  // SecondFactors is a list of supported second factor types.
-  // SecondFactors is a list of supported second factor types.
+  // SecondFactors is a list of supported second factor types, in ascending
+  // order of preference (first item is preferred).
-  // SecondFactors is a list of supported second factor types.
+  // SecondFactors is a list of supported second factor types, in ascending
+  // order of preference (first item is preferred).
+  repeated SecondFactorType SecondFactors = 21 [(gogoproto.jsontag) = "second_factors,omitempty"];
+}
+
+// SecondFactorType is a type of second factor.
+enum SecondFactorType {
+  SECOND_FACTOR_TYPE_UNSPECIFIED = 0;
+  // SECOND_FACTOR_TYPE_OTP is OTP second factor.
+  SECOND_FACTOR_TYPE_OTP = 1;
+  // SECOND_FACTOR_TYPE_WEBAUTHN is WebAuthn second factor.
+  SECOND_FACTOR_TYPE_WEBAUTHN = 2;
+  // SECOND_FACTOR_TYPE_SSO is SSO second factor.
+  SECOND_FACTOR_TYPE_SSO = 3;
 }
 
 // U2F defines settings for U2F device.
-Original file line number
+Diff line change
@@ Expand Up / @@ -191,6 +191,7 @@ var SystemConnectors = []string{ @@
     }
     // SecondFactorType is the type of 2FA authentication.
+    // Deprecated: Use types.SecondFactorType
     type SecondFactorType string
     const (
@@ Expand Down @@