MFA for Administrators

Solved
DillonofAnch17
Getting noticed

MFA for Administrators

Why cant you have another organization Administrator reset this?/ It seems a little overkill to have to create a case just for a new phone number or lost device. 

 

Thoughts?

 

 

1 Accepted Solution
DillonofAnch17
Getting noticed

@SoCalRacer Yeah I actually use DUO auth so it's not bad I just had a coworker have to factory reset his phone and the below happened. 

 

"Google Auth App won't restore my settings " I look at the documentation for 2 minutes. Proceed to delete and readd admin

 

Told him to Use  SMS or DUO as we have an enterprise Duo and it saves all your settings

 

 

 

I'm all for security and that internal disgruntled worker makes sense. But even DUO doesn't require that for a forgotten device, hence my conundrum for this notarized security! 

View solution in original post

4 Replies 4
SoCalRacer
Kind of a big deal

Please note SMS auth is considered beta

 

Process to reset is outlined here.

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication#Reco...

 

I would say the general position is that losing devices isn't a regular thing. Allowing any admin to reset a 2FA could cause a security issue in that if the admin was a disgruntled employee then they could reset all the 2FA and it would break logins for everyone. They then could cause havoc. Essentially this process allows User, Admin, and Support to ok the change. Security is a pain, but required. My suggestion would be use a device you won't lose using Google Authenticator instead of SMS.

DillonofAnch17
Getting noticed

@SoCalRacer Yeah I actually use DUO auth so it's not bad I just had a coworker have to factory reset his phone and the below happened. 

 

"Google Auth App won't restore my settings " I look at the documentation for 2 minutes. Proceed to delete and readd admin

 

Told him to Use  SMS or DUO as we have an enterprise Duo and it saves all your settings

 

 

 

I'm all for security and that internal disgruntled worker makes sense. But even DUO doesn't require that for a forgotten device, hence my conundrum for this notarized security! 

BlakeRichardson
Kind of a big deal
Kind of a big deal

We have all of our admin accounts across most services using MFA / 2FA. We do also have a backup account just in case without this enabled, the last thing I want is to be locked out becuase I am not recieving the notification.

MABOPAQ
New here

I am an admin in our dashboard, another user changed his cell phone and now he cannot authenticate or access the dashboard and I cannot help him. I read the security concern. which I consider invalid. I am the Domain Admin, and it is part of my role to be able to reset, change, add, delete any account or application. You are taking my role. I appreciate the advice. Using your logic then, Allowing Cisco support admin to reset a 2FA could cause a security issue in that if the cisco admin was a disgruntled employee, then they could reset all the 2FA and it would break logins for everyone in the cisco world. You could cause havoc. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.