Got a ticket today that made me question everything about MFA rollouts

Posted by Brilliant_Candle5450@reddit | sysadmin | View on Reddit | 20 comments

User lost their phone. No backup codes saved anywhere. Authenticator gone. IT has no recovery path configured because "MFA is security, you can't just bypass it."

Three hours later we still can't get them in without escalating to a vendor support ticket that'll take 48 hours.

How are people actually handling account recovery for TOTP at scale? Feels like every option either creates a security hole or a support nightmare.

[-]

Kumorigoe@reddit

Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.

Do Not Conduct Marketing Operations Within This Community.

It is not acceptable to advertise a product, service, Blog or FOSS Project within this community outside of authorized threads.
It is not acceptable to perform product research or market research within this community without permission.
The Reddit advertising system exists to help you reach out to new or existing customers.
Product Representatives are free to discuss their product in the context of an existing, naturally-occurring discussion. Astroturfing is not permitted.
As always, users must disclose any affiliation with a product.
Content creators should refrain from directing this community to their own content.

Your content may be better suited for our companion sub-reddit: /r/SysAdminBlogs

If you wish to appeal this action please don't hesitate to message the moderation team.

[-]

the real question isnt MFA recovery, its why the org has no admin reset path. every identity provider worth using lets an admin clear MFA and force re-enrollment. if yours doesnt, thats the actual problem to fix, not the user losing their phone.

[-]

Beautiful_Tower8539@reddit

Do you know how to reset MFA?

[-]

Maligannt2020@reddit

Have managed access to a financial system that has this type of restraint, vendor support was 5x12. The only way to reset MFA during those hours was by receiving a call back at your administrator designated desk phone. Enterprise facing portals like this don't support SSO, think a commercial online banking platform but for financial advisors.

Document and advise management, notify users during onboarding, ensure that every account has a primary and secondary employee assigned to it in the event of a user getting locked out of account due to MFA during non business hours.

[-]

Accomplished_Fly729@reddit

So what? The alternate is someone else can hijack your tokens and fuck you. Being locked and waiting for 3rd party vendors is a better alternate.

If the system was critical you wouldnt have a single person losing their phone be the single point of failure.

[-]

ADynes@reddit

You reset MFA and enroll another device. If they don't have another device you give them a hardware key temporarily.

I don't understand the question..

[-]

Accomplished_Fly729@reddit

He means other vendors enrolled in the authenticator app. He fails to see the security hole if you could just restore all your token.

Yea the vendor needs to reaet the account and they have to wait until they respond, big woop.

[-]

the_doughboy@reddit

Confirm identity before hand via a manager.

[-]

dabbydaberson@reddit

Give them a TAP to get back in and register new device

[-]

Man-e-questions@reddit

This is what we do for off network. If they come into the office and are on a trusted IP they can register the new MFA without TAP. Off network, they need to call helpdesk to get the TAP.

[-]

ngjrjeff@reddit

admin can always go to find the user then delete the authentication method registered

[-]

Potential_Return1170@reddit

AI generated post. Concerning that so many sysadmins can't spot that.

Waiting to see the ad drop in a comment for a wondrous unified MFA rollout management solution vibe coded SaaS product.

[-]

it4brown@reddit

And now you've made a post that makes everyone question the validity of your position.

[-]

Aware-Owl4346@reddit

If you can’t reset their MFA then you aren’t truly an Admin. With an administrator account I can go in the organization control panel and add a new authentication method (like voice message to a land line)

[-]

MFKDGAF@reddit

Any true MFA system would allow administrators to reset a user's MFA no matter what type of MFA it is since it would be registered (linked) to that users account so that they can re-enroll.

It sounds like whatever system you are using is a half-baked system. I would start looking at another vendor / solution for your MFA.

[-]

The_Koplin@reddit

This lacks enough detail about what service. But you said it yourself “no backup codes”. If the user is in charge of their account this will happen. However for Microsoft, admins can clear the MFA and allow enrollment again or add a temp access code.

You mentioned the ‘vendor’ this is normal. You won’t have access unless you control the MFA system. People doing this at scale control the SSO/MFA platform used to integrate services to an identity provider. DUO, Entera, etc. what the token is doesn’t matter then. You can also roll out a self service recovery portal in most of these systems that allow them to enroll a new phone or token.

[-]

mixduptransistor@reddit

What does "IT has no recovery path configured" mean?

They get a new phone and then they can reinstall the authenticator. Why are you involving a vendor? Is this not SSO through your primary identity system such as Entra?

[-]