Meraki

Community

Unable to re-register 2FA without disabling org-wide forced 2FA

Solved
bmull
Conversationalist
‎Jun 12 2025 8:56 AM
‎Jun 12 2025 8:56 AM

Unable to re-register 2FA without disabling org-wide forced 2FA

It seems impossible for Meraki dashboard users to re-register their 2FA authentication token (in the case they're changing their current mobile device) via the Meraki dashboard when the Organization Setting "Force users to set up and use two-factor authentication" is enabled. This seems like a UX gap. Am I missing something?

 

With "Force users to set up and use two-factor authentication" enabled the user profile only shows an option to "(re)configure offline access on a mobile device":

bmull_2-1749743536523.png

 

 

With "Force users to set up and use two-factor authentication" disabled the user profile shows an option to "Turn off two-factor authentication" and a link to "(re)configure offline access on a mobile device":

bmull_0-1749743309572.png

 

When selecting "(re)configure offline access on a mobile device" on a mobile device there is no option to set up 2FA on a new device (this is the same even if the mandatory 2FA org setting is enabled or disabled):

bmull_1-1749743455256.png

 

The implication here is that organizations that force 2FA for all their users need to temporary disable org-wide mandatory 2FA so that users can turn off two-factor authentication and then re-enroll on their new device. This seems very poorly thought out. There ought to be a 2FA re-enrollment wizard to facilitate this use-case without having to turn off mandatory 2FA for the entire organization by an admin.

Labels:
1 Accepted Solution
bperezgo
Meraki Employee
Meraki Employee
‎Jun 12 2025 12:26 PM
‎Jun 12 2025 12:26 PM

Hi @bmull,

 

You are correct, with the current design, "Force users to set up and use two-factor authentication" must be disabled from every organization the account is associated with to complete the process of disabling 2FA for the user—which will then allow the user to turn off 2FA and re-enroll their new device. 

 

If you use Duo Mobile, enabling Duo Restore (iOSAndroid) will allow for easier account recovery to the new device.

 

Cheers,

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

View solution in original post

3 Replies 3
Mloraditch
Kind of a big deal
Kind of a big deal
‎Jun 12 2025 9:02 AM
‎Jun 12 2025 9:02 AM

This is something switching to SAML would resolve.

However I feel your pain as we developed an API solution for managing our admins before SAML was as fully baked as it is now. We have a dummy org that we can add users to w/o 2FA forced that we can put them in and temporarily remove them from something else so that they can make these sorts of changes when necessary.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
bperezgo
Meraki Employee
Meraki Employee
‎Jun 12 2025 12:26 PM
‎Jun 12 2025 12:26 PM

Hi @bmull,

 

You are correct, with the current design, "Force users to set up and use two-factor authentication" must be disabled from every organization the account is associated with to complete the process of disabling 2FA for the user—which will then allow the user to turn off 2FA and re-enroll their new device. 

 

If you use Duo Mobile, enabling Duo Restore (iOSAndroid) will allow for easier account recovery to the new device.

 

Cheers,

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 12 2025 8:13 PM
‎Jun 12 2025 8:13 PM

This is 100% a design flaw.  I would call it a bug.

 

Not a fix; are you aware of email plus codes?  After the username part, you can put a + and another bit of text, and it will still go to your email address.  For example, these will all get delivered to the same place:

user+phone1@comapny.com

user+phone2@comapny.com

 

My horrible solution, sign up as a second administrator using a plus code email address,

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.