Who is responsible for resetting MFA for a user?
Generally Available - Limited RolloutMulti-factor Authentication (MFA) is generally available through a limited rollout process. Contact your Procore point of contact for more information about availability.
Multi-factor Authentication (MFA) is generally available through a limited rollout process. Contact your Procore point of contact for more information about availability.
Background
A user may lose the device where MFA is configured, acquire a new device, or experience another event that requires MFA to be reset. While the user will be provided with a recovery code upon setup, if they are not able to locate the code, they will need help resetting MFA.
Answer
A Directory Admin is typically responsible for resetting MFA for a user. Procore will only perform identity verification and MFA resets for users who have Payments Disburser permission to the Procore Pay tool.
Sometimes a user is added to multiple Directories across different Procore companies. The ability to reset MFA for a user who does not have Disburser access to Procore Pay is available to all Directory Admins across any company account the user has been added to.
Identity Verification
Directory Admins should always verify the identity of a user who requests to reset MFA, to make sure the reset request is valid before proceeding with the reset.
Attackers commonly target password and MFA reset flows to compromise a user’s identity and gain access to systems with that user’s credentials. Because of this, it's important to make sure you, as a Directory Admin, are completely confident the any user requesting an MFA reset from you is who they claim to be.
As a Directory Admin, you are responsible for choosing how verify a user's identity. Procore does not verify the identity of users who need to reset MFA unless those users have Disburser permissions to Procore Pay.
Common options for identity verification include:
Video or In-Person Verification (most secure). When verifying the identity of a user over video call or in person, you can ask the user to present a photo ID to confirm their identity. If you know the user personally, you can confirm their identity simply by seeing their face.
Phone Verification (somewhat secure). When verifying the identity of a user over the phone, you can ask them personal or professional questions that only they would know the answer to. If you know the user personally, you may be able to recognize their voice, which is another good indicator the person is who they say they are.
Email or Text Verification (least secure). When verifying identity through text or email, keep in mind that an attacker requesting a reset may have gained access to the user's email account or phone. Because this method of verification does not involve the voice or visible presence of the user making the reset request, it's a good idea to request additional verification by asking personal or professional questions, depending on your relationship with the user, to help confirm they are who they claim to be. More secure options for verification are generally a better choice.
OR...
Knowledge-based verification. Ask the user questions only they would know the answer to, either by phone, text, or email. It's a good idea to combine this verification method with photo ID verification.
Photo ID verification. Ask the user to provide an image of a government-issued photo ID. It's a good idea to combine this verification method with knowledge-based or in-person verification.
In-person verification. Ask the user to verify their identity in person, or over a video call. It's a good idea to combine this verification method with photo ID verification if you don't personally know the user making the request.