topic MFA for Administrators in Cloud Networking Platform

MFA for Administrators

DillonWhite9048 — Tue, 13 Aug 2019 15:30:33 GMT

Why cant you have another organization Administrator reset this?/ It seems a little overkill to have to create a case just for a new phone number or lost device.

Thoughts?

Re: MFA for Administrators

SoCalRacer — Tue, 13 Aug 2019 16:03:31 GMT

Please note SMS auth is considered beta

Process to reset is outlined here.

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication#Recovering_Access_to_Accounts_Protected_by_Two-Factor_Authentication

I would say the general position is that losing devices isn't a regular thing. Allowing any admin to reset a 2FA could cause a security issue in that if the admin was a disgruntled employee then they could reset all the 2FA and it would break logins for everyone. They then could cause havoc. Essentially this process allows User, Admin, and Support to ok the change. Security is a pain, but required. My suggestion would be use a device you won't lose using Google Authenticator instead of SMS.

Re: MFA for Administrators

DillonWhite9048 — Tue, 13 Aug 2019 16:17:02 GMT

@SoCalRacer Yeah I actually use DUO auth so it's not bad I just had a coworker have to factory reset his phone and the below happened.

"Google Auth App won't restore my settings " I look at the documentation for 2 minutes. Proceed to delete and readd admin

Told him to Use SMS or DUO as we have an enterprise Duo and it saves all your settings

I'm all for security and that internal disgruntled worker makes sense. But even DUO doesn't require that for a forgotten device, hence my conundrum for this notarized security!

Re: MFA for Administrators

BlakeRichardson — Tue, 13 Aug 2019 23:00:47 GMT

We have all of our admin accounts across most services using MFA / 2FA. We do also have a backup account just in case without this enabled, the last thing I want is to be locked out becuase I am not recieving the notification.

Re: MFA for Administrators

MarioBlandino — Mon, 27 Feb 2023 18:56:56 GMT

I am an admin in our dashboard, another user changed his cell phone and now he cannot authenticate or access the dashboard and I cannot help him. I read the security concern. which I consider invalid. I am the Domain Admin, and it is part of my role to be able to reset, change, add, delete any account or application. You are taking my role. I appreciate the advice. Using your logic then, Allowing Cisco support admin to reset a 2FA could cause a security issue in that if the cisco admin was a disgruntled employee, then they could reset all the 2FA and it would break logins for everyone in the cisco world. You could cause havoc.