gravitational · Joerger · May 21, 2025 · May 16, 2025 · May 21, 2025 · espadolini
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -2193,7 +2193,6 @@ message AuthPreferenceSpecV2 {
   string Type = 1 [(gogoproto.jsontag) = "type"];
 
   // SecondFactor is the type of mult-factor.
-  // Deprecated: Prefer using SecondFactors instead.
   string SecondFactor = 2 [
     deprecated = true,
     (gogoproto.jsontag) = "second_factor,omitempty",
@@ -2297,6 +2296,10 @@ message AuthPreferenceSpecV2 {
   // SecondFactors is a list of supported multi-factor types.
   // 1 is "otp", 2 is "webauthn", 3 is "sso",
   // If unspecified, the current default value is [1], or ["otp"].
+  //
+  // WARNING: only set SecondFactors if your cluster is fully upgraded to v17+.
-  // WARNING: only set SecondFactors if your cluster is fully upgraded to v17+.
+  // WARNING: only set second_factors if your cluster is fully upgraded to v17+.
-  // WARNING: only set SecondFactors if your cluster is fully upgraded to v17+.
+  // WARNING: only set second_factors if your cluster is fully upgraded to v17+.
+  // Due to a version compatibility bug, v16 teleport services do not properly
+  // handle this setting and may fail to start as a result.
   repeated SecondFactorType SecondFactors = 21 [(gogoproto.jsontag) = "second_factors,omitempty"];
 
   // StableUnixUserConfig contains the cluster-wide configuration for stable

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx
@@ -112,7 +112,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factors: ["webauthn"]
+  second_factor: "webauthn"
   webauthn:
     rp_id: (=clusterDefaults.clusterName=)
   device_trust:

diff --git a/docs/pages/admin-guides/access-controls/guides/hardware-key-support.mdx b/docs/pages/admin-guides/access-controls/guides/hardware-key-support.mdx
@@ -253,7 +253,7 @@ Yubikey for Hardware Key support, you might get an error on rare occasions.
 Depending on your settings, you might be asked to tap your Yubikey many times.
 Each tap is necessary to safely authenticate you.
 
-For example, if you have `second_factors: ["webauthn"]` set in your `cluster_auth_preference`,
+For example, if you have `second_factor: "webauthn"` set in your `cluster_auth_preference`,
 and `require_session_mfa: hardware_key_touch` set on your role,
 you'll see the following output when you first sign in:
 

diff --git a/docs/pages/admin-guides/access-controls/guides/headless.mdx b/docs/pages/admin-guides/access-controls/guides/headless.mdx
@@ -54,7 +54,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factors: ["webauthn"]
+  second_factor: "webauthn"
   webauthn:
     rp_id: example.com
   connector_name: headless # headless by default
@@ -85,7 +85,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factors: ["webauthn"]
+  second_factor: "webauthn"
   webauthn:
     rp_id: example.com
   headless: false # disable Headless WebAuthn

diff --git a/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx b/docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx
@@ -71,7 +71,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factors: ["webauthn"]
+  second_factor: "webauthn"
   webauthn:
     rp_id: example.com
 ```

diff --git a/docs/pages/admin-guides/access-controls/guides/passwordless.mdx b/docs/pages/admin-guides/access-controls/guides/passwordless.mdx
@@ -138,7 +138,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factors: ["webauthn"]
+  second_factor: "webauthn"
   webauthn:
     rp_id: example.com
   connector_name: passwordless # passwordless by default
@@ -229,7 +229,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factors: ["webauthn"]
+  second_factor: "webauthn"
   webauthn:
     rp_id: example.com
   passwordless: false # disable passwordless

diff --git a/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx b/docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx
@@ -43,7 +43,7 @@ per-session MFA with FIPS builds, provide the following in your `teleport.yaml`:
 teleport:
   auth_service:
     local_auth: false
-    second_factors: ["webauthn"]
+    second_factor: "webauthn"
     webauthn:
       rp_id: teleport.example.com
 ```

diff --git a/docs/pages/admin-guides/access-controls/guides/webauthn.mdx b/docs/pages/admin-guides/access-controls/guides/webauthn.mdx
@@ -62,8 +62,8 @@ Teleport configuration as below:
     name: cluster-auth-preference
   spec:
     type: local
-    # To enable WebAuthn support, include "webauthn" as a second factor method.
-    second_factors: ["webauthn"]
+    #To enable WebAuthn support, set this field to 'on', 'optional' or 'webauthn'
+    second_factor: "webauthn"
     webauthn:
       # Required, replace with proxy web address (example.com, example.teleport.sh).
       # rp_id is the public domain of the Teleport Proxy Service, *excluding* protocol
@@ -472,7 +472,7 @@ Update the `cluster_auth_preference` definition to include the following content
     name: cluster-auth-preference
   spec:
     type: local
-    second_factors: ["webauthn"]
+    second_factor: "webauthn"
     webauthn:
       rp_id: example.com
   ```

diff --git a/docs/pages/admin-guides/access-controls/sso/sso.mdx b/docs/pages/admin-guides/access-controls/sso/sso.mdx
@@ -515,6 +515,13 @@ spec:
 +  - sso
 ```
 
+<Admonition type="warning">
+  Before using the new `second_factors` field instead of the legacy `second_factor`,
+  you must ensure that your Teleport cluster is fully upgraded to v17+. Due to a
+  version compatibility bug, v16 teleport services do not properly handle this setting
+  and may fail to start as a result.
+</Admonition>
+
 ## Working with an external email identity
 
 Along with sending groups, an SSO provider will also provide a user's email address.

diff --git a/docs/pages/reference/access-controls/authentication.mdx b/docs/pages/reference/access-controls/authentication.mdx
@@ -47,7 +47,7 @@ Add the following to your Teleport configuration file, which is stored in
   auth_service:
     authentication:
       type: local
-      second_factors: ["webauthn"]
+      second_factor: "webauthn"
       webauthn:
         rp_id: example.teleport.sh
   ```
@@ -68,7 +68,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factors: ["webauthn"]
+  second_factor: "webauthn"
   webauthn:
     rp_id: example.teleport.sh
 version: v2
@@ -102,7 +102,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factors: ["webauthn"]
+  second_factor: "webauthn"
   webauthn:
     rp_id: example.teleport.sh
 version: v2

diff --git a/docs/pages/reference/resources.mdx b/docs/pages/reference/resources.mdx
@@ -231,17 +231,20 @@ Global cluster configuration options for authentication.
 metadata:
   name: cluster-auth-preference
 spec:
+  # Sets the type of second factor to use.
+  # Possible values: "on", "otp" and "webauthn"
+  # If "on" is set, all MFA protocols are supported.
+  second_factor: "on"
+
   # Sets the list of allowed second factors for the cluster.
   # Possible values: "otp", "webauthn", and "sso".
   # Defaults to ["otp"].
-  second_factors: ["webauthn", "otp"]
-
-  # second_factors is the list of allowed second factors for the cluster.
-  # Possible values: "on", "otp" and "webauthn"
-  # If "on" is set, all MFA protocols are supported.
   #
-  # Prefer setting second_factors instead.
-  #second_factor: "webauthn"
+  # WARNING: only use second_factors if your cluster is fully upgraded to v17+.
+  # Due to a version compatibility bug, v16 teleport services do not properly
+  # handle this setting and may fail to start as a result.
+  #
+  # second_factors: ["webauthn", "otp"]
 
   # The name of the OIDC or SAML connector. if this is not set, the first connector in the backend is used.
   connector_name: ""

diff --git a/docs/pages/reference/terraform-provider/data-sources/auth_preference.mdx b/docs/pages/reference/terraform-provider/data-sources/auth_preference.mdx
@@ -41,8 +41,8 @@ Optional:
 - `message_of_the_day` (String)
 - `okta` (Attributes) Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise. (see [below for nested schema](#nested-schema-for-specokta))
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
-- `second_factor` (String) SecondFactor is the type of mult-factor. Deprecated: Prefer using SecondFactors instead.
-- `second_factors` (List of Number) SecondFactors is a list of supported multi-factor types. 1 is "otp", 2 is "webauthn", 3 is "sso", If unspecified, the current default value is [1], or ["otp"].
+- `second_factor` (String) SecondFactor is the type of mult-factor.
+- `second_factors` (List of Number) SecondFactors is a list of supported multi-factor types. 1 is "otp", 2 is "webauthn", 3 is "sso", If unspecified, the current default value is [1], or ["otp"].  WARNING: only set SecondFactors if your cluster is fully upgraded to v17+. Due to a version compatibility bug, v16 teleport services do not properly handle this setting and may fail to start as a result.
 - `signature_algorithm_suite` (Number) SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster. If unspecified, the current default value is "legacy". 1 is "legacy", 2 is "balanced-v1", 3 is "fips-v1", 4 is "hsm-v1".
 - `stable_unix_user_config` (Attributes) StableUnixUserConfig contains the cluster-wide configuration for stable UNIX users. (see [below for nested schema](#nested-schema-for-specstable_unix_user_config))
 - `type` (String) Type is the type of authentication.

diff --git a/docs/pages/reference/terraform-provider/resources/auth_preference.mdx b/docs/pages/reference/terraform-provider/resources/auth_preference.mdx
@@ -60,8 +60,8 @@ Optional:
 - `message_of_the_day` (String)
 - `okta` (Attributes) Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise. (see [below for nested schema](#nested-schema-for-specokta))
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
-- `second_factor` (String) SecondFactor is the type of mult-factor. Deprecated: Prefer using SecondFactors instead.
-- `second_factors` (List of Number) SecondFactors is a list of supported multi-factor types. 1 is "otp", 2 is "webauthn", 3 is "sso", If unspecified, the current default value is [1], or ["otp"].
+- `second_factor` (String) SecondFactor is the type of mult-factor.
+- `second_factors` (List of Number) SecondFactors is a list of supported multi-factor types. 1 is "otp", 2 is "webauthn", 3 is "sso", If unspecified, the current default value is [1], or ["otp"].  WARNING: only set SecondFactors if your cluster is fully upgraded to v17+. Due to a version compatibility bug, v16 teleport services do not properly handle this setting and may fail to start as a result.
 - `signature_algorithm_suite` (Number) SignatureAlgorithmSuite is the configured signature algorithm suite for the cluster. If unspecified, the current default value is "legacy". 1 is "legacy", 2 is "balanced-v1", 3 is "fips-v1", 4 is "hsm-v1".
 - `stable_unix_user_config` (Attributes) StableUnixUserConfig contains the cluster-wide configuration for stable UNIX users. (see [below for nested schema](#nested-schema-for-specstable_unix_user_config))
 - `type` (String) Type is the type of authentication.

diff --git a/docs/pages/reference/user-types.mdx b/docs/pages/reference/user-types.mdx
@@ -50,7 +50,7 @@ authentication method required by the upstream SSO provider. Teleport is not
 aware of the authentication method not the user credentials, it trusts the IdP
 response.
 
-If `teleport.auth_service.authentication.second_factors` is `["webauthn"]`, Teleport
+If `teleport.auth_service.authentication.second_factor` is `"webauthn"`, Teleport
 might ask for an additional MFA for administrative actions. This protects
 against IdP compromise.
 

diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go