Is there a way to reset Two-factor authenticator by users themselves?!?!?!

Hi there,

Every time new Iphone or Galaxy smart phone is coming out to the world, I spent a lot of time to reset user’s two-factor authenticator.
Not even, the time when new smart phone was not announced, users keep lost their phone or reset their authenticator ‘ACCIDENTLY’.
As a only one admin for our shotgun site, I feel like it occurred at least once or twice a day. Literally, it takes my time to spent develop other stuffs and drives me crazy. :crazy_face:

I think it is very annoying situation for many Shotgun admins not just me.
I don’t understand why there’s a way that users can reset their password but cannot TFA. Is there a particular reason?

Can I have another option or work around to get over this issue??

Thanks,
JT

Hi JT,

Well, as you know, extra security comes at the cost of ease-of-use… And in this case, extra burden on you.

If the impacted user still has their one-time-password, then they can reset their own device or move to a new one, from their Account Settings page.

That is the whole point of the Multiple Factor Authentication: an additional proof is needed (wether in the form of a password, a device, a list, access to a specific email account, etc.).

The email account is the fallback for the password. The code list is the fallback for the device. You cannot have the same fallback method for 2 of your factors as it defeats the purpose.

If they don’t have their code list, then you really need to be involved. I do not see another way at this time to securely do the device reset.

The options I see for you are:

  • get a backup admin. You being the only one seems a dangerous situation anyway, not even considering your 2FA woes.
  • better education of your user base. They have to know how important (and useful) their code list is. If they don’t understand the need for the extra security (or don’t buy into it), they need to be convinced or taught about the importance of managing their 2FA info properly
  • do you really need 2FA ? Or more to the point, is the extra cost (in your time) warranted ? If it is used only for your Shotgun server and not for your other company tools, why the extra security ? (the answer may very well be Yes, we need 2FA :slight_smile: I just want to ensure that someone has indeed considered this and not just enabled 2FA out of habit)
  • for clients with Super Awesome support, they may consider moving to SSO. Then the 2FA aspect is controlled at the company level. Then it is no longer your concern as a Shotgun admin. And since SSO is usually needed for a series of services in the daily life of the users, Shotgun is not the special snowflake in the lot.

Sorry for not bringing you the answer/work-around you were hoping for,

-Patrick