All Collections
Site security
Resetting your visitors MFA device
Resetting your visitors MFA device

How to reset your visitors MFA device and understanding the dangers.

Dan Sackett avatar
Written by Dan Sackett
Updated over a week ago

Zoomforth sites can be protected with Multi-Factor.

If your site is configured to use Multi-Factor, upon visiting the first time, your visitors will set up a device to use as their MFA (multi-factor authentication) device. They can choose to receive a text message (SMS) to a phone number or set up an authenticator app.

This setup only is done once per person.

For each new browser/computer/phone the person uses to visit your site, they will need to use the same MFA device to re-authenticate.

Read more about MFA-protected sites.

Lost / Inaccessible MFA Device

If your visitor needs to re-authenticate to your site but has lost the device they set up for MFA (or changed phone numbers), then they will be unable to access the site until a site admin resets their device.

The visitor should visit the site they want to access and click "I've lost my device". 

At this point a new entry is added to the "Site Details > Visitor Access > "Pending Access" tab displaying that a certain visitor needs their access reset. (An email is also sent to admins letting them know this request has been made.)

Clicking the "Confirm" button on this row here will "reset" this visitor's MFA device. This allows the visitor to set up a new MFA device.

Visitor Verification—Don't Just Reset Anyone Who Asks!

However, don't just reset the MFA device whenever someone makes that request! There are some dangers here you should be aware of:

By the time a visitor is able to "request an MFA device reset", the only thing Zoomforth knows for sure about them is that they have access to the email address to which they claim to have access.

It's possible that this visitor really did lose their phone (or change their phone number). But it's also possible, that an attacker has compromised their email account, or even that an attacker simply sat down at their workstation while they're logged into their email.

If an attacker is attempting to gain access to the site, then the MFA device is working as intended, by preventing the attacker from accessing the site!

Therefore, when you receive a request to reset a device, it's very important to work to confirm that the person you think it is really does want to reset their device.

You should do this by communicating with them via channels that are *not* the email address they're using for the site. (Since it is this email address that may be compromised.) Instead, you should contact them in person, over the phone, via a personal email, or contact a coworker/manager of theirs.

Did this answer your question?