What happens with force 2-step auth and lost phone?

[SJ77]

Hi

I want to force 2 step auth and have AUTHY setup as the available option. (members can get sms text message codes)

I am worried that members will lose their phone and not be able to get into the site again.

What happens in this case?

[SJ77]

I guess this issue could happen with google auth setup as well. Any ideas what happens?

Are members just blocked for good?

[Makoto]

Basically yes.

2fa services like Google allow you to make a list of single-use backup codes that can be used in-case you lose your phone.

Otherwise, they will have to contact you in order to regain site access.

[SJ77]

Would be nice if someone made a plugin to force security questions as an option if using authy or google 

[Jim M]

With our software there are two options the admin can enable should a user lose their phone (or forget your security questions). One is to email a recovery code to the user and the other is to use the contact form to reach out to an admin.

[SJ77]

1 hour ago, Jim M said:

With our software there are two options the admin can enable should a user lose their phone (or forget your security questions). One is to email a recovery code to the user and the other is to use the contact form to reach out to an admin.

But the contact form could be anyone. “Yeah, yeah I got locked out. Can you let me in?”

[Rhett]

14 minutes ago, SJ77 said:

But the contact form could be anyone. “Yeah, yeah I got locked out. Can you let me in?”

Verify them silly. 😋

 

[SJ77]

1 minute ago, Rhett said:

Verify them silly. 😋

 

Probably a dumb question, but how?

[Rhett]

14 minutes ago, SJ77 said:

Probably a dumb question, but how?

There are many ways, it would all depend on what you would like to do, email address, phone number, security questions, the credit card on the account. 

 

 

[SJ77]

I see what you mean. Manual. 

This would work assuming they have something on file to reference. I get bare bones accounts saying “I lost access to my email and can’t get into my account”. 

Thank you

[Rhett]

4 hours ago, SJ77 said:

I see what you mean. Manual. 

This would work assuming they have something on file to reference. I get bare bones accounts saying “I lost access to my email and can’t get into my account”. 

Thank you

If there is nothing on the account, and they lost email access, they can clearly verify the old email address, if it's a bare-bones account, with nothing on it to verify, nothing is lost in changing the email to a present one. 🙂

[SJ77]

Touché!

[Joel R]

This past weekend, I recovered 2FA access to an old account where I had set up Google Authenticator in the past and no longer had the account listed in Google Authenticator.  I also didn't have the single use codes.  

All they had me do was verify that I owned the email address.