We are considering implementing a user authentication system using Auth0. However, we’re concerned about a scenario where a user might lose access to their email address. Specifically, we are concerned about what would happen if the domain of the email address that a user is using becomes invalid, rendering the email address itself unusable.
In the event that a user authenticates through an email address and password and also uses Multi-Factor Authentication (MFA) as a secondary verification method, what should we do if they still possess the device used for MFA but lose access to their email address?
Under such circumstances, how should we go about recovering this user’s account? We would greatly appreciate it if you could provide any specific steps or best practices. Our goal is to create a process where the user can resolve this issue as much as possible without the intervention of Auth0 administrators (developers, such as us).
How can you differentiate between a legitimate user who has lost their email and an attacker that has access to a second factor (a common scenario with SMS factors due to SIM swapping attacks)?
For MFA to be effective, you need to respect the fact that multiple factors are present for a password reset, email reset, or MFA reset. If you only rely on a single factor, it is no longer MFA.
This typically requires admin intervention because of the fact that there is no other programmatic way to validate a user’s ownership of the email address. For example, some sites may use some user information, like a credit card number, or some other so-called ‘secret’ to validate the user’s identity, but only do this on a case-by-case basis.