What is the secure and safe method for users to recover their account if they lost access to their 2nd factor Authentication device/method and do not have backup codes either.
If we lose the device we use for two-factor authentication (2FA), or are unable to access your 2FA method, we can easily request help from an account administrator to reset your 2FA. Once your 2FA is reset, we can log in with only with username and password. In this case user has to take the support of admin..it's not a big deal but what I'm highlighting here is self-service MFA recovery
I know few ways like TOTP , Email OTP, however these methods having risks
for email OTP, if the email has been compromised then that will be the risk since they can reset password on the account and verify OTP sent to the same email
is there any guideline in this regard from NIST like Digital Identity Guidelines NIST-SP-800-63A
We recently updated our corporate environment to require that MFA registrations/updates be done from a managed (domain-joined, MDM, or onsite) device. We fully anticipate this will cause some issues but it does substantially raise the bar for bad actors.
Also, I personally reduce my odds of getting locked out by registering multiple forms of MFA but at the same time, I realize I am not "normal" in this regard.