Self Service MFA recovery process

[Martin Douglas <martin () UWO CA>]

Hi Educause Security,

I am Martin Douglas from Western University in Ontario, Canada. We are contemplating building a self service MFA 
recovery process for people who have forgotten their device. The end result would be delivery of a temporary bypass 
code with the intention it is used to set up a secondary/tertiary device (to be used to regain access to services).

NOTE: This has been cross-posted to Internet2-SI and Educause-IDM

Would you mind providing in input to our discussions?

*       If you would prefer to give input offline you can email me directly.

*       If we get enough answers (>8), I could provide some aggregated results back to the list.

Some questions:

1.       Do you have a self service MFA recovery process?

2.       If yes:

a.       What techniques and/or data do you use validate the person is who they claim to be?

b.       Is there a fall back process? E.g. call Helpdesk

c.       How successful has it been/often is it used (if you have data)?

3.       If no and it is purposeful (as in it was contemplated and decided against):

a.       Why did you decide against it? E.g. security, usability, etc.

b.       What is your process to return MFA availability to users?

Thank you in advance for you replies,
________________________________
Martin Douglas (martin () uwo ca)
Associate Director, Application Development
WTS, Western University
519 661-2111 x.81187

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community