Okta Account Locked: MFA Reset Requests
This article addresses how to request an Multi-factor Authentication (MFA) Reset.
- Multi-Factor Authentication (MFA)
MFA Reset Request Process Summary
In general, it is important to enroll in multiple MFA methods for Dashboard Admins and leverage the ability to regenerate the recovery code.
The following factors can be configured from the Profile page, and it is highly recommended to enroll in at least 2 of them and in as many as possible:
- WebAuthn with FIDO security keys: WebAuthn roaming authenticators are removable and cross-platform, like a YubiKey, and can be used on multiple devices. To authenticate with a roaming authenticator, users must connect the authenticator to their device (through USB, NFC, or Bluetooth) and provide proof of presence (by touching it, for example).
- WebAuthn with device biometrics: WebAuthn platform authenticators are attached to a device and work only on that device. Examples are the MacBook Touch Bar, Windows Hello, iOS Touch ID or Face ID, and Android fingerprint or face recognition. Because they work on the attached device only, a user must have at least one other factor enrolled in their profile before enrolling in device biometrics.
- Push notification via Guardian: This service sends push notifications to a user’s pre-registered device, typically a mobile phone or tablet. With a button press, the user can immediately allow or deny account access. The push factor is available with the Guardian mobile app for iOS and Android.
- One-time passwords (OTP): Allow users to use an authenticator app (such as Google Authenticator) on their personal devices. The app generates an OTP that changes over time and can be entered as a second factor to validate the account.
- SMS notification: Auth0 sends a one-time code over SMS and prompts the user to enter it before they can complete authentication.
Please make sure the Recovery Code is stored in a secure location, such as a password manager. If not done, regenerate the recovery code to store it now.
When No MFA Authenticators are Accessible
If a tenant member has lost access to all authenticators and their Recovery code, do not delete the tenant/team member. Deleting a tenant member does not reset their MFA enrollments. It only removes their access to the relevant tenant or teams. Instead, file an MFA reset request as detailed below.
Filing a MFA Reset Request:
Watch the video and follow the steps below based on the account type.
Free account
- Send @support a private message with the email address of the account.
- Once submitted, a support ticket will be opened, and the Developer Support Team will verify the request and proceed.
Paid account
- Open a Support ticket describing what happened and attach the tenant name and tenant admin email address.
- The Developer Support Team will confirm the identity and handle the request.
- If access to support.auth0.com is unavailable, follow the instructions for the free plan.
