The 2FA admin reset process for a user is very problematic
Problem reported by A System Administrator - 12/3/2021 at 10:47 AM
I had posted a question before about how to reset 2FA (here) but now that I've actually rolled out "Forced" 2FA for our domains I'm running into an issue with how this reset is implemented.

It appears the process is to impersonate the user and use the "Reset" button located under the Two-Step Authentication section. The trouble is that this button only launches the 2FA setup wizard for ME (the admin impersonating), which is no good. I don't have the users phone to scan the code and verify the OTP.

Currently, I have to call the user and have them manually enter the secret key into Google Authenticator then give me the OTP to confirm it; which is just terrible (getting a user to key in 16 characters correctly on a cell phone is excruciating).

Is there a reason the "Reset" button doesn't just simply reset the users 2FA setup to what it would be for a new/first time user? With 2FA "forced" on a domain, when users log in for the first time they see a nice setup wizard; I strongly feel that "Reset" should put the user back in this state (even reset the app-passwords).

Reply to Thread