Multi-Factor Authentication (MFA) Recovery: Options and Innovations

Multi-factor authentication (MFA) is an effective and well-adopted method of preventing cyberattacks based on password theft. So, it’s not surprising that companies are increasingly utilising it when employees and other users access sensitive data. 

Mobile authenticator apps are one of the most secure and commonly used forms of MFA and are popular regardless of the vendor (Microsoft, Okta, Ping, Google, etc.). These apps provide additional verification methods to users via their mobile device, providing convenient access.   

However, during the deployment of MFA for our clients, a recurring question often arises: What happens if a user loses their phone?  

If you’ve ever lost or replaced your phone, you may have experienced this challenge for yourself. In today’s article, we explore how a user who has lost their phone can securely access an application protected by MFA, including a specific use case utilising Ping Identity tools.  

Balancing security and user experience in MFA recovery 

There is no single fix to the lost device problem, as is often the case with any new product deployment within an IT environment. Depending on security requirements and user experience, several different solutions could be explored: 

Enrol a second factor 

Our first recommendation would be to ensure the user enrols a second factor – usually a one-time password (OTP) by email, a hard token, or Fast IDentity Online 2 (FIDO2) – to preempt any possible device loss. This proactive measure gives the user more autonomy and avoids the need to contact the help desk.  

There are drawbacks to this approach, however: 

• OTP by email is no longer considered secure. Moreover, some companies protect access to their employees' mailboxes with MFA, leading to a catch-22

• Using hard token like a Yubikey comes with a prohibitively high cost, especially for large workforces

• Using biometrics via the FIDO2 protocol (Windows Hello, for example) is not always possible. Generally, this is due to technological limitations imposed by workstations that do not support this protocol. Plus, users may be reluctant to register their biometric data on a professional device they do not control.

 Temporarily bypass MFA 

Another method that solutions like PingOne offer natively is allowing the user to bypass MFA for a certain period. Once the user has a new smartphone, they can unpair the lost device themselves, enrol the new one, and inform the help desk to reactivate MFA. Notably, in this method, MFA is disabled for all applications the user attempts to access. 

Bypassing MFA prioritises user experience at the expense of access security. This method also requires work from the help desk – both in supporting users in the process and in tracking those who deactivate MFA and preventing them from bypassing it even after enrolling a new device. 

Contact the help desk 

Perhaps the most obvious and simplest method is having the user contact the help desk to get assistance with unpairing the lost device. This will allow the user to enrol their new device, if they have one available, at the next login.  

Again here, the solution is dependent on the help desk. We must also consider the need to verify the identity of the person contacting support. What if a cybercriminal poses as an employee who has lost their MFA factor to enrol their own device maliciously? This situation becomes particularly concerning if the company's main authentication system is passwordless and therefore relies solely on MFA. 

Streamlining MFA recovery with PingOne DaVinci & PingOne Verify  

Recognising the drawbacks to each of these options, Ping Identity has introduced a new set of tools to automate the recovery process, enhance user experience, and guarantee high security. 

The first tool is PingOne DaVinci, a solution that allows for the easy creation of authentication journeys using connectors with prebuilt functions. These connectors, placed sequentially and linked via a drag-and-drop system, allow for customised authentication journeys with little to no coding required. 

This tool can be combined with PingOne Verify, a cloud service capability, which utilises facial recognition from an ID document or a live selfie. Here’s how they work together.

Using PingOne DaVinci & PingOne Verify in practice  

Let's consider a hypothetical scenario with the following conditions: 

• The user has lost their only means of validating MFA, which was their PingID mobile app. They can no longer access protected applications. 

• The user has bought a new smartphone, but it is not yet registered. 

• The user cannot access the device management page to enrol their new device, as this page requires MFA validation. 

• We want to avoid involving the help desk for the reasons explored above. 

The DaVinci flow enables us to organise the recovery and reenrollment process in two main steps:  

1. Verify the user's identity with PingOne Verify. 
2. Unpair the lost smartphone and start the enrollment process for the new device. 

Let’s break down those steps in more detail: 

1. The user connects to a dedicated PingOne URL for managing lost factors from their workstation.
2. The user authenticates using their username and password.
3. A QR code appears on the user's workstation, which they scan with their new phone.
4. On this phone, the browser opens and prompts the user to take a live selfie.
5. Once PingOne Verify captures the selfie, it is compared with a pre-registered photo of the user.
6. If the identity matches, DaVinci automatically unpairs the user's previous smartphone.
7. The user is then prompted to enrol their new device.
8. The user will now be able to access any applications protected by MFA. 
   

In summary: Simplifying MFA recovery 

While there are a variety of options for MFA recovery, most methods to date come with drawbacks. Together, PingOne DaVinci and PingOne Verify offer an all-around effective alternative solution.  

From a business perspective, combining these tools streamlines operations and improves the user experience without compromising security. Specifically, it allows companies to relieve help desks, which are often overwhelmed by multiple requests for lost factors. It gives users more autonomy, enabling them to avoid interruptions and remain productive. And perhaps most importantly, it’s ideal from a security standpoint, as MFA requirements are maintained. 

Are you interested in exploring MFA solutions for your organisation? Contact us today.