UI login with userpass and 2FA with Google authenticator (or others)

I’m looking to add 2FA to the UI login for a couple of users who will be able to manually update some secrets.

  1. enable a new auth method at /userpassmfa, make it visible in the UI
  2. create a user in the /userpassmfa
  3. create and assign the role allowing the user to update the secret

This bit looks great and I now see a login prompt and can login as said user.

  1. enable TOTP secrets engine with the defaults and add an enforcement for the above

This now prompts me for an MFA code when I attempt to login.

Surely I’ve missed a step whereby I need to associate the MFA key with the user which is normally done by presenting a QR code or using the manual code to enter into the authenticator app (e.g. Google authenticator or I’ll use Bitwarden)

What am I missing as I feel like I’ve read the docs over and over and searched here and can’t find the right steps.

Can anyone help?

PS testing this on the latest Vault docker image

ok - I’ve solved it for myself

here are the steps assuming you want a new userpass store called userpassmfa and a user called a

first setup the userpass and mfa properties
vault auth enable -path=userpassmfa -listing-visibility=unauth userpass
vault auth list
→ take the $ACCESSOR from the appropriate row
vault write -field=method_id identity/mfa/method/totp issuer=Vault period=30 key_size=30 qr_size=200 algorithm=SHA256 digits=6
→ this will return $METHOD_ID
vault write identity/mfa/login-enforcement/mylogin mfa_method_ids=“$METHOD_ID” auth_method_accessors=“$ACCESSOR”

you now have a new login area, which is enabled for use on the login page, and it requires MFA

for each user, in this case a user called a
vault write auth/userpassmfa/users/a password=passwordA!
vault write -field=id identity/entity name=“a”
→ this id becomes the $ENTITY_ID
vault write identity/entity-alias name=“a” canonical_id=“$ENTITY_ID” mount_accessor=“$ACCESSOR”
vault write identity/mfa/method/totp/admin-generate entity_id=“bc82708f-5188-582d-dc21-a5127bb1a3ff” method_id=“94632cc7-e8b5-478e-dcf6-82e55f1f0914”
→ this will return both a base64 encoded image and also the URL which can be copied into your authenticator tool of choice - in my case Bitwarden