9eo2a (9eo2a) asked a question.
Hi, We have a few customers that have access to our admin console with permission that allow them to reset passwords for users among their group as well as observability over activity of their group members. These Group Admin users do not have access to phones or external devices so I'm trying to find a solution to using security questions as a form of 2FA that allows them continue using the admin console. However when I try and add Security Questions to our authentication for admin console access the only things that are prompted are Google Auth and Okta Verify even though security questions are included in the rule. I tested reset the security questions on a test account and I was prompted with the option and once set it no longer showed up as an option. This being said does anyone know a work around or have a better solution for users who don't have access to devices? Any help is greatly appreciated.
@9eo2a (9eo2a) -- "This being said does anyone know a work around or have a better solution for users who don't have access to devices?"
If I were going to have a small subset of people performing a very small subset of tasks and I wanted to limit them as much as possible I would probably use a Delegated Workflow. You could restrict them to only seeing the delegated workflow in the admin console and for doing something like a "reset" you could have a workflow backend do the work and on the front-end they can just specify inputs (like a user email address). You could then validate those inputs using something like (regex, a lookup table, api calls etc) to make sure it is further constrained to what they are allowed to reset for before calling the API to perform the action.
As far as your MFA question. I dunno.