A serious bug was identified in the Login MFA feature introduced in 1.10.0: MFA TOTP is deleted after vault restart · Issue #15108 · hashicorp/vault · GitHub. Upon restart, Vault is not populating its in-memory MFA data structures based on what is found in storage. Although Vault is persisting to storage MFA methods and login enforcement configs populated via /identity/mfa, they will effectively disappear after the process is restarted.
We plan to issue a new 1.10.3 release to address this soon. We recommend delaying any rollouts of Login MFA until that release.
2 Likes