Multi-factor authentication (MFA) adds a second lock to the door, so a stolen password alone isn’t enough to get in. It’s one of the strongest protections your customers have, which is exactly why the tickets around it need a careful hand.
Two factors, one door
Section titled “Two factors, one door”MFA combines factors of different kinds:
- Something you know: the password.
- Something you have: a code or push from an authenticator app, a hardware key, or (weakest) an SMS code.
- Sometimes something you are: a fingerprint or face.
The strength comes from mixing types: an attacker who phishes the password still can’t produce the thing in the user’s pocket.
The everyday MFA tickets
Section titled “The everyday MFA tickets”- “I didn’t get my code.” Usually an enrolment or connectivity hiccup. Check the right device or number is enrolled and has signal, then re-send. Don’t strip MFA off the account as a shortcut.
- New or lost phone. The user needs to re-enrol their second factor on the new device. This is a change to their security, so treat it with care.
- Temporary access. Some environments allow a one-time bypass code so a stuck user can get in while they re-enrol. Follow your local process for when that’s allowed.