Question

2FA / password reset self-service for Okta and Google Workspace (without human interface)

  • 12 November 2020
  • 9 replies
  • 71 views

Badge

Hey :wave:

We’re thinking about allowing our users to reset their Okta and Google Workspace passwords and/or 2FA through some kind of self-service option, currently an admin has to do it manually after “verifying” the user.

With most people working remotely these days, it means increased amounts of “we need to video call you, when are you available” type of back and forth, and the company is growing so it kind of doesn’t scale that well :expressionless:  Back in the day you could just ask the user to pop in to IT whenever convenient. 
 

Is anyone using any setups for this and if so what is it? Trying to figure out a good balance between usability and security.

 

Thanks :relaxed:


This topic has been closed for comments

9 replies

Badge

My team is dealing with a similar situation. In our case, IT needs to reset the MFA device so the user can setup a new one. The same is true for PW resets. I’m curious what you find.



Sent via Slack Thread
Userlevel 1
Badge +2

For MFA reset situations, we’ve instituted multiple flavors of MFA, encouraging (but not yet enforcing) a secondary factor. That way, when a user gets a new phone and needs to reset Okta Verify, they can still login using TouchID on their Mac and reset it themselves.



Sent via Slack Thread
Userlevel 1
Badge +2

For passwords, we disable self-service pw reset for security reasons, but to verify the user identity we recently started using Rockstar (hat-tip to @gabriel.sroka) to handle this and speed up the process. The Okta UI doesn’t allow you (AFAIK) to send a push notification to the user’s Verify device, but Rockstar does:

image.png?pub_secret=5d72c46221

Sent via Slack Thread
Userlevel 1
Badge +2

You can also have the option to have the user read you the OTP from the verify app

rockstar_mfa_verify.gif?pub_secret=b11ce28f1c

Sent via Slack Thread
Badge

That’s really interesting. I recently found out about the Okta verify push option within Rockstar. Definitely a handy tool but not something we’ve incorporated into our process yet.



Sent via Slack Thread
Userlevel 1
Badge +2

yeah, I wish Okta would enable this functionality on the user admin screen…I mean, all the API’s are there already



Sent via Slack Thread
Badge

This was an interesting thread about Rockstar and is one of the main reasons why it's not officially part of our process. https://better-it.slack.com/archives/C70L3V9B9/p1604349994054800



Sent via Slack Thread
Badge

I'm with you about adding Okta Verify Push as an admin option



Sent via Slack Thread
Badge

Our policy is to review a SOC 2 Type 2 for any third-party apps before using them. In this case, I use the extension with approval from my boss mainly because of the goodwill that’s behind the work that you do @gabriel.sroka. It would be great if the app was officially supported by Okta. That would allow me to incorporate it into our existing processes. For now, I use it solely to supplement the missing features within Okta. My teammates don’t use it.



Sent via Slack Thread