Verifying Identity for MFA Reset

Introduction

Multi-Factor Authentication (MFA) adds an extra layer of protection to user accounts by requiring a second form of verification, typically via a mobile device. An MFA reset is necessary when users lose access to their authentication device, for instance, when a phone is lost, broken, or replaced. This process ensures that the request is legitimate, safeguarding sensitive information and preventing unauthorised access.

Importance of Verifying Identity

Before performing an MFA reset, verifying the identity of the requester is essential. This ensures that only the authorised account holder can regain access, protecting the organisation's data and resources. Failing to verify identity could lead to data breaches or other security incidents.

Verification Scenarios

Scenario 1: Lost or Stolen Phone
A user contacts the IT Service Desk to request an MFA reset after losing their phone, which was the primary authentication method.
Scenario 2: Broken or Inaccessible Phone
A user reports their phone is broken, preventing access to the MFA app. They need an MFA reset to resume access to their account.
Scenario 3: New Phone or Device
A user upgraded to a new phone without transferring their MFA credentials. They need an MFA reset to set up the authentication on their new device.

Verification Process

Initial Request
- Inform the user about verification requirements. Users must either visit the London office in person or present photo identification via a Microsoft Teams call or chat.
- Copies of IDs will be accepted, provided they are clear and legible.
In-Person Verification (London Office)
- User Visit: The user must visit the London office in person to verify their identity.
- Document Check: An IT team member will check the user's photo ID. Acceptable forms of ID include a
  - Passport
  - Driver's licence
  - National Identity Card
  - Citizencard
  - Railcard with photo
- Clear copies are acceptable as long as identification details are visible.
- Confirmation: Once the user's identity is confirmed, proceed with the MFA reset.
Remote Verification (Microsoft Teams)
- If the user cannot visit the London office, they must provide photo identification via a Microsoft Teams call or chat.
- Scheduling: Arrange a Teams call or chat at a convenient time. Teams should still be accessible even if MFA is unavailable. If not, arrange to use a personal email.
- Document Presentation: During the call, the user must show their photo ID. Sensitive information (e.g., ID number, address) may be covered, provided the name and photo are visible.
- Verification: Confirm the user’s identity by matching the ID with the user’s appearance and name.
- Name Verification: Ensure that the name on the ID matches the name on the account. If the employee is using a preferred name that differs from the name on the ID, IT may consult with the People Team to cross-check records.
- Confirmation: Once the identity is verified, proceed with the MFA reset in Entra ID.

Important Notes

Security First: Prioritise security during verification. If doubts arise, escalate to a senior IT team member.
Confidentiality: Handle personal information, including ID documents, with the utmost confidentiality. Ensure no unnecessary data is recorded or stored during the process.
Escalation: If identity cannot be confirmed or there is suspicion of fraud, do not proceed with the MFA reset. Escalate to a senior IT team member.