We have recently set up a login-system using MFA, where the user can choose to either use Guardian or Google Authenticator (or equivalent). People have to enter their recovery code if their device has been stolen/reset. They can then be logged in using the recovery-key, which acts like a one-time-password.
The scenario is like this:
Use normal password -> use recovery-key -> copy new recovery key -> login
It seems there is no process, where the user can reset the MFA? It keeps the user in a loop where the user has to use recovery-keys for each login.
Is there a way for the user to reset MFA using the recovery-key? Like this:
Use normal password -> use recovery-key -> reset MFA -> setup MFA incl. new recovery-key -> login
This way the user would be able to setup their MFA again without a manual interference.
Any help on this would be highly appreciated