Indented audience

  • GovCMS SaaS customers
  • Drupal customers with restrictions around TFA management

Overview:

This article provides step-by-step guidance for resolving cases where a user's account becomes locked after skipping Two-Factor Authentication (TFA) setup the maximum allowed number of times (usually 3-5 attempts in GovCMS SaaS). It outlines three potential solutions, ranked by ease of implementation, to help administrators address the issue efficiently.

Scenario:

When a user skips TFA setup multiple times, their account becomes locked, and they are unable to access the system. Admins may encounter limitations depending on the permissions enabled within their environment.

Solutions:

1. Disable TFA for the User (Preferred Option)

The simplest and most straightforward solution is to disable TFA for the affected user, allowing them to log in and reconfigure TFA.

Steps:

  1. Log in to the production site with your administrator account.
  2. Navigate to the user’s profile under People in the admin dashboard.
  3. Click on the TFA tab in the user’s profile.
  4. Select the Disable TFA option for that user.
  5. Inform the user that they can now log in without TFA. However, advise them to set up TFA immediately after logging in to prevent future lockouts.

This method is quick and does not require production deployment changes. However, it is critical to ensure the user reconfigures TFA promptly.

2. Adjust Permissions to Reset TFA Skip Attempts

If the above option is not viable, you can grant permissions to reset the TFA skip counter directly. This approach requires production deployment changes.

Steps:

  1. Enable the "GovCMS Security Kit" permission called "Reset TFA Skip validation attempts" for the appropriate role (e.g., Site Administrator).
  2. Once the permission is enabled, navigate to the affected user’s profile and reset the TFA skip counter.

Important Considerations:

  • This permission should only be granted to trusted roles due to potential security implications.
  • A production deployment is required to apply this change, which might delay the resolution.

3. Generate Recovery Codes for the User

If permissions cannot be adjusted, you can unblock the account by generating recovery codes for the user. This method also avoids the need for production deployments.

Steps:

  1. Log in to the production site with your administrator account.
  2. Navigate to the user’s profile under People in the admin dashboard.
  3. Click on the TFA tab in the user’s profile.
  4. Configure and generate recovery codes for the user by clicking Complete TFA setup.
  5. Save the recovery codes to the user’s account.
  6. Provide the recovery codes to the user securely and advise them to:
    • Log in using one of the recovery codes.
    • Immediately configure their TFA settings after logging in.
  7. Remind the user to reset and securely save their recovery codes for future use, following their internal policies for storing OTP credentials.

4. Fallback Option: Create a New User Account

If none of the above solutions resolve the issue, creating a new user account is a viable fallback option.

Steps:

  1. Create a new account for the user with the necessary roles and permissions.
  2. Block or delete the locked account to prevent confusion or unauthorized attempts.
  3. Alternatively, change the username and email of the locked account to indicate it is inactive.
  4. Provide the user with their new credentials and request they configure TFA immediately.

Additional Notes:

  • The preferred option (disabling TFA) is the quickest and simplest solution but requires immediate follow-up to ensure TFA is re-enabled for the user.
  • Communication with all users is critical to ensure they configure TFA promptly after logging in to avoid similar issues.
  • For further support, consider scheduling a screen-sharing session to assist the user directly.

Other options

If you're a GovCMS customer, refer to the knowledgebase article Two-Factor Authentication (TFA/2FA) troubleshooting