Managing MFA for Administrators
This guide explains how administrators with proper permissions can manage Multi-Factor Authentication (MFA) for other administrator accounts, including resetting MFA when users are locked out or lose access to their authenticator devices.
You must have the Manage Multi-Factor Authentication permission to reset MFA for other administrators. This permission is typically assigned to IT administrators and system administrators.
Understanding MFA Management
When MFA Reset is Needed
Common scenarios requiring an MFA reset:
- Lost or stolen device - User no longer has access to their authenticator app
- New phone - User got a new phone and didn't transfer authenticator codes
- Locked out - User lost their backup codes and can't generate valid codes
- App reinstalled - User accidentally deleted their authenticator app
- Device failure - Phone is broken or won't power on
Resetting MFA removes all authentication methods and backup codes. The user will need to re-enroll in MFA after the reset.
Checking Your Permissions
To verify you have the required permission:
- Navigate to Administrators → View Administrators
- Click on your own name to view your profile
- Check your assigned role and permissions
- Look for Manage Multi-Factor Authentication in your permissions list
If you don't have this permission:
- Contact your system administrator or IT director
- Request the Manage MFA permission be added to your role
- Provide a business justification (e.g., "Help desk support for locked-out users")
Viewing MFA Status for Administrators
To check if an administrator has MFA enabled:
- Go to Administrators → View Administrators
- Click on the administrator's name to edit their account
- Scroll to the Security Settings section
MFA Status Indicators:
MFA Enabled: This administrator has MFA active on their account ✓
MFA Not Enabled: This administrator has not enrolled in MFA
You will only see the Security Settings section if:
- MFA is enabled system-wide in Settings
- You have the "Manage Multi-Factor Authentication" permission
Resetting MFA for Another Administrator
Step-by-Step Reset Process
-
Verify the request is legitimate
- Confirm the administrator's identity using approved verification methods
- Don't reset MFA based solely on email or phone requests without verification
- When possible, verify in person or via secure communication channel
-
Navigate to the administrator's account
- Go to Administrators → View Administrators
- Search for or locate the administrator who needs the reset
- Click on their name to open their profile
-
Locate the Security Settings section
- Scroll down to the Security Settings section
- Verify MFA is currently enabled (green status indicator)
-
Perform the reset
- Click the Reset MFA button
- A confirmation dialog will appear
-
Confirm the reset
- Review the confirmation message carefully
- Confirm you want to reset MFA for the selected administrator
- Click Yes, reset MFA to proceed
-
Notify the administrator
- Immediately inform the administrator that MFA has been reset
- Provide instructions on how to re-enroll (see below)
- If MFA is required, explain they must re-enroll immediately
What Happens During a Reset
When you reset MFA for an administrator:
- ✅ Their existing TOTP secret is removed
- ✅ All backup codes are invalidated
- ✅ MFA status changes from "Enabled" to "Not Enabled"
- ✅ The action is logged in the Activity Log
- ✅ The administrator can now log in without MFA (if not required)
After resetting MFA, the administrator can log in without multi-factor authentication until they re-enroll. If MFA is required for their role, they'll be forced to re-enroll on their next login.
Helping Users Re-Enroll After Reset
After resetting an administrator's MFA, guide them through re-enrollment:
If MFA is Required
- The administrator logs in with username and password
- They're automatically redirected to their profile page with a warning
- They cannot navigate elsewhere until MFA is enabled
- They click Enable MFA in the security section
- Follow the enrollment process (scan QR code, verify code, save backup codes)
If MFA is Optional
- The administrator logs in normally
- Recommend they navigate to My Profile
- Scroll to the Security section
- Click Enable MFA
- Complete the enrollment process
Send users the Administrator MFA Setup Guide for detailed enrollment instructions.
Best Practices for MFA Management
Verification Procedures
Before resetting MFA, verify the administrator's identity:
Acceptable Verification Methods:
- ✅ In-person request with photo ID
- ✅ Video call where you can see the person
- ✅ Phone call to known/verified phone number + answering security questions
- ✅ Authenticated request through secure ticketing system
Unacceptable Verification Methods:
- ❌ Email-only request
- ❌ Request from unknown email address
- ❌ Request without identity verification
- ❌ Third-party request (someone asking for another person)
Resetting MFA without proper verification could allow unauthorized access to administrator accounts. Always verify identity before performing a reset.
Documentation
Always document MFA reset actions:
-
Before Reset:
- Date and time of request
- Method of identity verification used
- Reason for reset (lost device, new phone, etc.)
- Requestor's name and contact information
-
After Reset:
- Date and time reset was performed
- Your name (who performed the reset)
- Confirmation that user was notified
- Any follow-up actions needed
All MFA resets are automatically logged in the Activity Log. Use this for audit trails and security reviews.
Communication
Communicate clearly with the affected administrator:
Immediately after reset:
Subject: Your MFA Has Been Reset
Your Multi-Factor Authentication has been reset for your Manage1to1
administrator account.
Next steps:
1. Log in to Manage1to1 using your username and password
2. Navigate to My Profile
3. Click "Enable MFA" in the Security section
4. Follow the on-screen instructions to re-enroll
If MFA is required for your role, you'll be prompted to enroll
immediately upon login.
If you did not request this reset, contact IT immediately.
Reset performed by: [Your Name]
Date: [Date/Time]
Ticket #: [If applicable]
Troubleshooting
Common Issues
"I don't see the Reset MFA button"
- Verify you have the "Manage Multi-Factor Authentication" permission
- Check that MFA is enabled system-wide in Settings
- Confirm the administrator actually has MFA enabled (you can only reset if it's active)
"The reset didn't work - user still can't log in"
- Verify the reset completed successfully (check Activity Log)
- Ensure the user is using the correct username and password
- Check if there are other account issues (account disabled, password expired)
- Try resetting the user's password as well
"User keeps getting locked out after re-enrolling"
- Verify the user's device time is synchronized correctly
- Ensure they're using a compatible authenticator app
- Check if backup codes are being used instead of TOTP codes
- Review the user's authentication logs for patterns
"Can't reset MFA for certain administrators"
- You cannot reset MFA for super administrators unless you're also a super admin
- Verify the user exists and is an active administrator
- Check for any system errors in the browser console
Security Considerations
Preventing MFA Bypass Attacks
Social engineering attacks often target MFA reset procedures:
Red Flags:
- 🚩 Urgent requests outside business hours
- 🚩 Requests via unusual communication channels
- 🚩 Inability to answer basic security questions
- 🚩 Multiple reset requests in short timeframe
- 🚩 Request doesn't match user's communication style
If you suspect an attack:
- Don't reset MFA
- Contact the administrator directly using known contact information
- Document the suspicious request
- Report to your security team or IT director
Monitoring MFA Resets
Regularly review MFA reset activity:
- Navigate to Activity Log
- Filter for "MFA Reset" actions
- Look for unusual patterns:
- Same administrator reset multiple times
- Unusual timing (after hours, weekends)
- Resets by unexpected staff members
- High volume of resets
Keep the Activity Log enabled and review it regularly as part of your security monitoring procedures.
Permission Details
Manage Multi-Factor Authentication Permission
Permission Name: manage-mfa
Display Name: Manage Multi-Factor Authentication
Category: Settings
This permission allows:
- ✅ Viewing MFA status for all administrators
- ✅ Resetting MFA for other administrators
- ✅ Accessing the Security Settings section when editing admins
This permission does NOT allow:
- ❌ Disabling MFA system-wide
- ❌ Bypassing MFA requirements
- ❌ Viewing other administrators' backup codes
- ❌ Forcing MFA enrollment for specific roles
Assigning the Permission
System administrators can assign this permission through roles:
- Navigate to Settings → System Settings → Roles & Permissions
- Select the role you want to modify (e.g., "IT Administrator")
- Check Manage Multi-Factor Authentication in the permissions list
- Save the role
Recommended roles for this permission:
- IT Administrators
- Help Desk Staff
- System Administrators
- Security Officers
Not recommended for:
- General staff
- Building-level administrators (unless they provide IT support)
- Limited-access administrative roles
Need Help?
If you have questions about managing MFA or encounter issues:
- Review the Activity Log - Check if the reset was logged successfully
- Contact Support - Submit a ticket through Manage1to1 Support
- Documentation - Reference the guides above for detailed procedures
For security concerns or suspected MFA bypass attempts, contact your IT security team immediately.