I lost my phone today and now I can't access my accounts because I didn't save any backup codes and I can't recover my authenticator app. The IT department doesn't have a recovery path set up since they believe MFA is supposed to be secure and can't be bypassed. After three hours, I still can't get back into my accounts without going through a vendor support ticket, which will take 48 hours. I'm curious about how others manage account recovery for Time-based One-Time Passwords (TOTP) at scale. It seems like every possible solution either has security risks or leads to a lot of support challenges.
5 Answers
It’s a shame you’re left waiting for vendor support. Generally, admins should have the ability to reset user MFA, ensuring a smooth recovery process.
Totally agree. Waiting on a vendor is just not practical for critical systems.
What MFA system are you using? If it’s, say, Microsoft 365, then resetting the old MFA method should just take a couple of clicks to allow the user to register a new device.
Honestly, I think you should be able to reset the MFA after verifying the user's identity. If that's not an option, maybe your administration privileges need a review.
What do you mean by "IT has no recovery path configured"? Normally, if someone gets a new phone, they just reinstall the authenticator app without needing to involve a vendor. Isn’t there a primary identity system in place that could help?
You can usually reset MFA by verifying the user's identity and enrolling them on a new device. If they don't have another device, sometimes we temporarily provide a hardware key. Not sure why this is a big issue?
It's really about confirming their identity first, right? You need to make sure it’s the actual user.
But you're right, without understanding the broader security implications, it's easy to overlook some serious vulnerabilities.
Exactly! Any decent MFA system would allow for an admin to reset user access quickly to prevent downtime.