3d7d1 (3d7d1) asked a question.
Hello, community
I am trying to mitigate a potential security risk when our users are setting up the MFA using any sort of authenticator as part of their registration with our app.
Scenario:
John Doe (our client's employee) signs up with our application > he has set up the password > he is asked to set up the MFA with Okta Verify or Google Authenticator (or even email)
John Doe (john.doe@somecompany.com) selects Google Authenticator and uses his private email account "jd@gmail.com".
Within 3 months, John Doe got laid off, losing access to his corporate email "john.doe@somecompany.com". However, since the Google Authenticator was set up with his private email "jd@gmail.com" he still can access the system...unless his account is deleted/revoked in our app.
Since we cannot control/know John's work status, we are not aware of his current job status to act immediately.
Please advise on how this issue could be resolved.
Thank you in advance!
Hi @3d7d1 (3d7d1) , Thank you for reaching out to the Okta Community!
This sounds like a fault in the Lifecycle Management flow design.
Typically you would have an HR app set up as a Profile Source when the user is terminated the deactivation flow would pass through to Okta and from there to all Provisioning enabled apps. (Something like AD or even Okta itself can be the profile source depending on your requirements.)
Lacking that, there should at least be a process in place that immediately notifies the responsible parties of the change in status to be able to perform the appropriate actions.
That being said, we can't make any recommendation as more information is required.
For example, it's unclear based on the details we have here if federated SSO is in place or not. I'm assuming not, based on the fact that you said the user sets up a password as part of the sign up to the app.
As far as "control" over the user's MFA, if the account is managed in Okta and not at app level:
-you can set up MFA Enrollment policies to enforce the set up of authenticators
-you can set up Sign-on policies to enforce the use of authentication at login (to org/apps)
-you can trigger MFA reset
I hope my answer brings some insight, but for a on point answer you might need open a case to work with one of our Support Engineers to go over your environment and use case in depth.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Headed to Oktane? Here's what you can expect, plus all the Okta tips you may have missed this month