topic Unable to re-register 2FA without disabling org-wide forced 2FA in Cloud Networking Platform

Unable to re-register 2FA without disabling org-wide forced 2FA

bmull — Thu, 12 Jun 2025 15:56:47 GMT

It seems impossible for Meraki dashboard users to re-register their 2FA authentication token (in the case they're changing their current mobile device) via the Meraki dashboard when the Organization Setting "Force users to set up and use two-factor authentication" is enabled. This seems like a UX gap. Am I missing something?

With "Force users to set up and use two-factor authentication" enabled the user profile only shows an option to "(re)configure offline access on a mobile device":

With "Force users to set up and use two-factor authentication" disabled the user profile shows an option to "Turn off two-factor authentication" and a link to "(re)configure offline access on a mobile device":

When selecting "(re)configure offline access on a mobile device" on a mobile device there is no option to set up 2FA on a new device (this is the same even if the mandatory 2FA org setting is enabled or disabled):

The implication here is that organizations that force 2FA for all their users need to temporary disable org-wide mandatory 2FA so that users can turn off two-factor authentication and then re-enroll on their new device. This seems very poorly thought out. There ought to be a 2FA re-enrollment wizard to facilitate this use-case without having to turn off mandatory 2FA for the entire organization by an admin.

Re: Unable to re-register 2FA without disabling org-wide forced 2FA

mloraditch — Thu, 12 Jun 2025 16:02:13 GMT

This is something switching to SAML would resolve.

However I feel your pain as we developed an API solution for managing our admins before SAML was as fully baked as it is now. We have a dummy org that we can add users to w/o 2FA forced that we can put them in and temporarily remove them from something else so that they can make these sorts of changes when necessary.

Re: Unable to re-register 2FA without disabling org-wide forced 2FA

bperezgo — Thu, 12 Jun 2025 19:26:58 GMT

Hi @bmull,

You are correct, with the current design, "Force users to set up and use two-factor authentication" must be disabled from every organization the account is associated with to complete the process of disabling 2FA for the user—which will then allow the user to turn off 2FA and re-enroll their new device.

If you use Duo Mobile, enabling Duo Restore (iOS, Android) will allow for easier account recovery to the new device.

Cheers,

Re: Unable to re-register 2FA without disabling org-wide forced 2FA

Philip D'Ath — Fri, 13 Jun 2025 03:13:09 GMT

This is 100% a design flaw. I would call it a bug.

Not a fix; are you aware of email plus codes? After the username part, you can put a + and another bit of text, and it will still go to your email address. For example, these will all get delivered to the same place:

user+phone1@comapny.com

user+phone2@comapny.com

My horrible solution, sign up as a second administrator using a plus code email address,