Gaining access without MFA, or Backup codes available

[brynwhyman]

Also considers a user being able to reset their password without usable MFA and backup codes incase all three are lost.

The proposed flow, read as: 1 | 1 2 | 2

User	System
CMS user contacts admin for authentication reset	_
Admin authenticates CMS user outside the CMS controls, based on site owner guidelines	_
CMS admin accesses CMS user profile	Presents user profile
CMS admin selects 'authentication reset'	Email is sent to CMS user with unique 'invite' link to set up their login again
CMS user clicks link	Link is marked as expired. User is presented with 'new user' screen
CMS user sets up new password	On success, drops all previous authentication settings (MFA, password, etc). Takes user to MFA 'getting started screen'

CMS user proceeds with MFA setup

[brynwhyman]

From UX research cc @clarkepaul: Pros

• Caters to all methods being lost or compromised (if email is compromised email can still be changed prior to sending). Simple UI controls

Cons

• User must go through a lengthy process to setup again Relies solely on Admin/Stack manager