Allow individual user to temporarily bypass Multi-factor authentication in emergency

Allow individual user to temporarily bypass Multi-factor authentication in emergency

by Halie Carton -
Number of replies: 3

Hello,

We're looking to set up Multi-factor authentication on our Moodle instance. Our clients specifically want to use Email authentication only (users don't always have access to cellphones, so Authenticator app is not feasible). However, some users don't receive our Moodle system emails. We have worked to troubleshoot this issue, and resolved it in many instances, but we can't be certain that we won't run into a future situation where one user is unable to receive our system emails, and therefore, once MFA is implemented, won't be able to access our site.

In the case that one user is unable to receive system emails for MFA, is there a way that an Admin can allow that user to temporarily bypass MFA until the email issue is resolved for them? 

Thank you for your help, and let me know if you need more information.

Sincerely,

Halie Carton

Average of ratings: -
In reply to Halie Carton

Re: Allow individual user to temporarily bypass Multi-factor authentication in emergency

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Just thinking: Isn't the solution to give a choice between e-mail and SMS for the second authentication? Or, even more user friendly, to send both?
Average of ratings: -
In reply to Visvanath Ratnaweera

Re: Allow individual user to temporarily bypass Multi-factor authentication in emergency

by Halie Carton -
Thanks, Visvanath. While that would be ideal, we don't have the funding at this time for SMS. What we're looking for is a way to troubleshoot the issue; in other words, allow a user access to the site without MFA if MFA isn't working for them. After some thought, we're thinking of using the User-filtering factors, specifically the Role factor MFA setting, so that we can define a role that requires MFA, but if a user has an issue, we can change the user's role to a role that does not require MFA to access the site. We haven't tested this yet, so I'm not sure if it will work.

Again, thanks for your suggestion.

Sincerely,
Halie Carton
Average of ratings: -
In reply to Halie Carton

Re: Allow individual user to temporarily bypass Multi-factor authentication in emergency

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Well, then the answer would depend on the MFA mechanism you utilize. I don't claim to know the depths of MFA, but if you provide detailed information on how your present MFA works, somebody who knows that particular system can help.

That said, the importance of Moodle's outgoing mails can not be understated. Have considered sending them out from your own SMTP server? Then you will have access to its logs to diagnose what went wrong.

An additional easy trick is to use real mailbox for the no-reply address and read bounced mail to that mailbox.
Average of ratings: -