Skip to main content

Internal Guide: 2FA resetting

Updated over a month ago

Issue

This guide will cover all the different situations and authentication requirements for resetting 2FA for a user.

Applies To

  • All users with 2FA.

Resolution

Situation 1:

When a user is a owner, and there is another owner listed with the org:
If there is another owner, they should first ask the other owner to reset their 2FA for them as the quickest option.

You can use this macro, but you will need to edit it: 2FA > Non-Owner (Account Settings > Remove 2FA)

Situation 2:
When the user is the only owner:
Use macro: 2FA > Owner (Account Settings > Remove 2FA)

In this case we need them to write in from the correct email, verify the last 4, and have two members consent in the email thread.

Situation 3:
The user only belongs to a free org and they are the only member OWNER: (not a member of any paid orgs currently)
We just need their consent and for them to write in from the correct email to reset it.

Situation 4:
The user only belongs to a free org and they are a member and NOT the owner: (not a member of any paid orgs currently)

If the org does not have 2FA enabled we can go ahead and reset 2FA, making sure the user is responding from the email in question.

If the org does have 2FA enabled we will need consent from the owner and we need to make sure the user responds form the email in question.

Situation 5:
The user doesn't belong to any orgs in _admin:

We just need their consent and for them to write in from the correct email to reset it. (same as above)

Situation 6:
The user belongs to multiple paid orgs:

We will need to tell the user that we need to remove them from one of the orgs to reset it and they will need to be reinvited to any orgs they want to re-join. We do not add them after to the removed org.

Then we follow the normal flow for the org they are still a member of for authentication.

Notes:
- We do not need to remove them if one of the orgs is free, only if there are multiple paid orgs

- If the user wants to know the list of the orgs, it's okay to share

- If the user is part of a large number of orgs, please escalate to a senior/TL/manager for review as we can likely make an exception to not remove them from all other orgs.

- Exampe here of a user part of 25 orgs and we make an exception.

Situation 7:
The user is not an owner and just a member/admin/manager.

Use macro: 2FA > Non-Owner (Account Settings > Remove 2FA)

It's best if they reach out the owner to reset their 2FA, it's quicker.

a) If the org has required 2FA, please keep this macro as is as the owner will need to turn 2FA off first or else the button will be greyed out and not red like in the screenshot.

b) If the org does not have required 2FA, remove the first step as it won't apply: (see first step below)

And remove the word "next".

Remember to add relevent links. (link then to the user's member settings).

Additional 2FA resources:
- SMS is depreciated. If users need to reset SMS 2FA, they will need to set it up differently going forward

- A lot of times owners think that if they remove the user from the org that it will reset their 2FA. This is not how 2FA works. See macro: 2FA > User Removed

Related Articles
The Organization Owner removed me from the organization, why do I still have 2FA?
We cannot access Sentry after enforcing 2FA, is this intended behaviour?
How do I recover my account if I lost my 2FA credentials?
Internal Guide: Gifting organisations
How can I transfer my organization Ownership to another user?
Did this answer your question?