Users are unable to reset their Mult-Factor Authentication (MFA) as they cannot log in to their account. This article covers what can be done in this situation.

• Multi-Factor Authentication (MFA)
• MFA Reset
• Self-Service

By default, users cannot reset their own MFA if they cannot access their accounts, as this would pose a major security risk and would open up tenants to bad actors attempting potential attacks of multiple types. 

Hence, MFA can only be reset by admins. 

Reset MFA for the user

The admin can reset the MFA for the user by following these steps: 

1. In the Okta Admin Console, navigate to Directory > People.
2. Locate and click the specific user.
3. Select More Actions in the top right area of the User Profile.
4. Select Reset Authenticators (or Reset Multifactor in Okta Classic).
5. Choose which factors to reset from the list of factors that is displayed.
6. Once reset, the user will be prompted to re-enroll in the MFA policy the next time they log in. There is no time limit for re-enrollment.

For a visual representation of the above steps, see the How to Reset MFA for a Specific End User video.

Use the Okta API to perform factor operations

Leverage the Okta Factors API to reset users' factors and even set up custom automations for factor enrollment or resets. 

Use another MFA method to sign in and replace the old one

If the user has access to a backup MFA method, they can go to their Settings and remove the old MFA method they had. 

Related References

• How to Reset MFA for a Specific End User
• User settings
• User Factors