Hey everyone, I've been asked by my boss to create a standard operating procedure (SOP) for managing multi-factor authentication (MFA) resets. Currently, we don't have any formal practices in place and just rely on people's judgment about whether a request is legitimate. Coming from a smaller organization where we had a policy that required MFA reset requests to come via a ticket from Teams or email, and to confirm identity through a video call, I feel like we need something more structured here. However, since this is a larger organization and I don't know every employee personally like I did before, I'm looking for suggestions on how best to handle this. Any thoughts or advice would be greatly appreciated!
6 Answers
Our practice involves users contacting the help desk face-to-face or via video call. We verify their identity against HR records and require them to provide their employee ID number along with other personal info. If they refuse any of this, we lock their account instead of resetting their MFA and notify their supervisor about the issue.
I suggest requiring approval from the user's boss. They can confirm with IT whether the reset is necessary, which adds an extra layer of verification.
You might want to look into NIST 800-63, which outlines identity revalidation principles. It offers three different levels of verification based on the sensitivity of resources users can access. I think it could give you a solid framework for your SOP!
We do out-of-band verification through the user's supervisor or by contacting the employee directly. It’s tough since they usually realize they’re locked out of their resources and can’t access email or Teams.
We use video calls over Teams or Slack for identity confirmation. If they can’t do video, we advise them to talk to their manager who can call us to confirm their identity. Alternatively, we use a third-party self-service reset tool that helps verify users through security questions, which could be a good backup plan as tech advances.
In our case, we just reset MFA and passwords simultaneously for in-office users. The supervisor hands them the new password directly. Keeps it simple!
Perfect! Thank you for the tip!