https://community.isc2.org/t5/Tech-Talk/2FA-recovery/m-p/52247#M3611 <P>Hi All,</P><P>&nbsp;</P><P>Topic for discussion:</P><P>&nbsp;</P><P>What is the secure and safe method for users <FONT color="#993366"><STRONG>to recover</STRONG></FONT> their account if they lost access to their 2nd factor Authentication device/method and do not have backup codes either.</P><P>&nbsp;</P><P><SPAN>If we lose the device we use for two-factor authentication (2FA), or are unable to access your 2FA method, we can easily request help from an account administrator to reset your 2FA. Once your 2FA is reset, we can log in with only with username and password. In this case user has to take the support of admin..it's not a big deal&nbsp;</SPAN><SPAN>but what I'm&nbsp;highlighting here is self-service MFA recovery</SPAN></P><P>&nbsp;</P><P>I know few ways like <SPAN>TOTP&nbsp;</SPAN>, Email OTP, however these methods having risks</P><P>for email OTP, if the email has been compromised then that will be the risk since they can reset password on the account and verify OTP sent to the same email</P><P>&nbsp;</P><P>is there any guideline in this regard from NIST like&nbsp;Digital Identity Guidelines NIST-SP-800-63A</P><P>any ideas please?!!</P><P>&nbsp;</P><P>thank</P><P>&nbsp;</P> Mon, 01 Aug 2022 17:27:12 GMT iluom 2022-08-01T17:27:12Z https://community.isc2.org/t5/Tech-Talk/2FA-recovery/m-p/52247#M3611 <P>Hi All,</P><P>&nbsp;</P><P>Topic for discussion:</P><P>&nbsp;</P><P>What is the secure and safe method for users <FONT color="#993366"><STRONG>to recover</STRONG></FONT> their account if they lost access to their 2nd factor Authentication device/method and do not have backup codes either.</P><P>&nbsp;</P><P><SPAN>If we lose the device we use for two-factor authentication (2FA), or are unable to access your 2FA method, we can easily request help from an account administrator to reset your 2FA. Once your 2FA is reset, we can log in with only with username and password. In this case user has to take the support of admin..it's not a big deal&nbsp;</SPAN><SPAN>but what I'm&nbsp;highlighting here is self-service MFA recovery</SPAN></P><P>&nbsp;</P><P>I know few ways like <SPAN>TOTP&nbsp;</SPAN>, Email OTP, however these methods having risks</P><P>for email OTP, if the email has been compromised then that will be the risk since they can reset password on the account and verify OTP sent to the same email</P><P>&nbsp;</P><P>is there any guideline in this regard from NIST like&nbsp;Digital Identity Guidelines NIST-SP-800-63A</P><P>any ideas please?!!</P><P>&nbsp;</P><P>thank</P><P>&nbsp;</P> Mon, 01 Aug 2022 17:27:12 GMT https://community.isc2.org/t5/Tech-Talk/2FA-recovery/m-p/52247#M3611 iluom 2022-08-01T17:27:12Z https://community.isc2.org/t5/Tech-Talk/2FA-recovery/m-p/52251#M3612 <P>We recently updated our corporate environment to require that MFA registrations/updates be done from a managed (domain-joined, MDM, or onsite) device.&nbsp; We fully anticipate this will cause some issues but it does substantially raise the bar for bad actors.</P><P>&nbsp;</P><P>Also, I personally reduce my odds of getting locked out by registering multiple forms of MFA but at the same time, I realize I am not "normal" in this regard.</P><P>&nbsp;</P> Wed, 03 Aug 2022 03:10:11 GMT https://community.isc2.org/t5/Tech-Talk/2FA-recovery/m-p/52251#M3612 denbesten 2022-08-03T03:10:11Z