Recovering Access to Accounts Protected by Two-Factor Authentication
Meraki offers two ways to ensure access to a TFA-protected account is not lost: the option to configure a backup phone number (available for SMS authorization), and a list of one-time codes to use in place of a TFA code (available for both SMS authorization and Duo Mobile). These two methods should be treated as the primary troubleshooting steps to temporarily bypass two-factor authentication and regain access to an account.
Note: It is recommended that Duo Mobile users enable Duo Restore (iOS, Android). This will allow for easy account recovery to the same device or a new device.
If the above solutions are not possible, the only alternative is for Meraki Support to disable the account's TFA configurations so the user can regain access. Since TFA is an important security mechanism, Meraki Support will not disable the configuration without first positively identifying the account owner.
Please note that 2FA removal requests cannot be resolved via our Support phone lines.
For security purposes, a Meraki Support case requesting 2FA disablement must be open from the Meraki Support Home page under the 'No dashboard Access?' section.
The organization-wide security configuration "Force users to set up and use two-factor authentication" overrides Meraki Support's ability to disable TFA for an individual user. In order to complete the process of disabling TFA for the individual, this configuration must be disabled from every organization the account is associated with.
Note: disabling this organization-wide security configuration change will not disable TFA for any users, it will merely provide Meraki Support the ability to manually disable TFA for the locked-out account.
There are two methods to verify account ownership for the account recovery process:
Method 1
Open a case from the Support home page.
- This email must be the email address of the account TFA is to be disabled on.
- The case must include the full name of the organization that the account resides in.
A second organization administrator must comment on the case through Dashboard granting approval to disable TFA on the account in question.
- Email or phone approval is not acceptable for this. The approval must come as a comment on the case.
- This permission may be granted by an organization administrator with Full access, and SAML administrators with Full access. Approval by network administrators or administrators with read-only access will not be accepted.
Dashboard organizations should always have at least two organization admins with full permissions. This is best practice in case one account is locked out or if access to that account's email address is lost.
Method 2
If a second organization administrator with full access does not exist or is otherwise unavailable, please proceed with this method of verification.
Open a case from the Support home page.
- This email must be the email address of the account TFA is to be disabled on.
- The case must include the full name of the organization that the account resides in.
The Support Operations Specialist will request more information about the organization and its contents and settings to verify the validity of the request.
The Support Operations Specialist will request documentation to further prove ownership of the account, organization, and its contents.
Once verification has been completed, the Support Operations Specialist will provide you with a digital Docusign document. Please fill it out, sign digitally, and return it by attaching it to the support case.
Once one of the above methods has been finished, TFA may then be disabled.
If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
