Cyral supports MFA authentication on MongoDB through Duo. In the default configuration, users who connect with any tool that uses the MongoDB Node.js driver (MongoDB Compass, MongoDB Shell, etc.) will receive multiple MFA approval requests when connecting, as well as extra MFA approval requests when they submit queries.
This happens because the Node.js driver uses connection pools (creating many database connections for a single session), and an MFA challenge is issued during the authentication phase for each connection request.
Note! This issue does not affect the legacy "mongo" client. Using that client, an MFA approval is required only when connecting to a database.
Users can reduce the number of MFA approval requests they receive by including the MaxPoolSize=1 argument in their MongoDB connection string. With this setting in place, the Node.js driver generates fewer connections, and this reduces the number of MFA approval requests.
For example a MongoDB Shell connection string might look like this, with MaxPoolSize=1 added as the last argument:
mongosh "mongodb://bwilliams%40example.com%3Aanalyst:mysecretpassword@mysidecar .example.com:27017/admin?authSource=admin&authMechanism=PLAIN&replicaSet=2424&maxPoolSize=1"
Be aware that there can be a performance penalty when using the MaxPoolSize=1 argument since it reduces the client's connection pool to a single connection.