I think I know the answer but sanity check here - There’s no way to provide a “self-service” authenticator reset, correct? It makes sense to me why this isn’t possible (nor encouraged if it is) as allowing external users to reset a factor(s) in the case of forgetting, lost device, etc. may lead to MFA becoming a single point of failure.
Given that we can’t necessarily rid ourselves of help desk tickets requesting authenticator resets, are there any thoughts on how to best streamline the process? While still a manual process, the introduction of the TAC authenticator seems like a good option.
One way could be to have the end user enroll in multiple MFAs so that, in case they want to reset their MFA, they can access their Okta dashboard and manage their MFA methods.
Thanks for the response @akanksha_bhasin ! Yes this is something I will definitely advocate for as a preemptive measure moving forward - But even then I suppose the specific factors required matters. It does a user no good if they have Google Authenticator and Okta Verify (both device bound) and they lose their device. Unless the user has a 2nd factor that isn’t device bound it seems like there is no way to reset factors without the involvement of an admin.
One way I have solved for this was to leverage Okta Workflows to allow them to place themselves within scope of a group, which is then targeted for an additional authenticator (knowledge factor). This would allow them to get themselves in, reset their primary factor, and automatically revoke that group/additional factor. It worked like a charm and InfoSec was more than happy to play ball. It involves requiring them to setup that knowledge factor upon enrolling/activating in Okta. The knowledge factor can be swapped out for any factor you’d like so long as it makes everyone happy.