I’m putting together an API for a project, and one of the requirements is MFA. I’m using TOTP and that all works. I also have facilities to clear the MFA token and regenerate / re-enroll the secret, but I’m wondering what the best practice is for invoking that.
Essentially I need a “forgot password” but for their MFA method (e.g. if they lose their phone or MFA secret).
Would a valid password + validation email be sufficient? Or should I require the user to contact the administrators to reset the MFA? Or something else?
Implementation Notes:
- MFA is required for a password reset, so if their email is compromised, the attacker wouldn’t necessarily be able to set a new password
- A valid email address is required and verified at signup.
- If they lose access to their email and MFA, they will have to contact the application administrators for assistance.
- This isn’t a “high stakes” application (e.g not banking, healthcare, etc) but I do want to make sure accounts are reasonably secure.
Have you thought about TOPT recovery codes?
When a user activates totp you show a list of 6-8 codes they can use to access the account. Just make sure the recovery code only works one time.
I thought about generating a list of backup codes during the onboarding process but ruled it out because I know for a fact that people will not hold on to them.
That’s why I’m leaning more toward, and soliciting feedback for, some method of automated recovery (email token + TOTP for password resets, email token + password for MFA resets, etc). I’m trying to also avoid using security questions but haven’t closed that door entirely.
My work has us call a helpdesk which verifies our ID (based off the number we’re calling from and other info) then gives us a one-time password to reset all our login info
