Just today I witnessed someone working from home who had to move to a new system at work. Part of the instructions involved deactivating their 2FA app, which was apparently still needed for a later step in the process. They were supposed to use a backup phone number in the account to receive a text code to sign in, but, of course, there’s no backup phone number in their account.
The last mid-to-big company I worked for had an excellent system of setting up your new software that involved calling you to please confirm you 2FA.
When I said “I’m pretty sure I followed at least four trainings telling me not to do that” they were not amused. I, on the other hand, was extremely amused by telling them no.
Two companies ago I was told I had failed to pass an email phishing test and so would be required to take another training in it. I pointed out that I could not, in fact, have failed such a test as I don’t respond to anything (real or faked) from management. I still had to take the training. So for the rest of my time at the company I turned in every email I received from management as a phishing attempt. I was told to stop it, but replied that I was simply being careful in following training. I’m sure they blocked me after that.
Needing to deactivate 2fa to link a new authenticator is one of my big complaints about so many systems. You should be able to pair a new one without removing the old one, or at least have it replace it.
Just today I witnessed someone working from home who had to move to a new system at work. Part of the instructions involved deactivating their 2FA app, which was apparently still needed for a later step in the process. They were supposed to use a backup phone number in the account to receive a text code to sign in, but, of course, there’s no backup phone number in their account.
If only their job used this scheme instead. sigh
The last mid-to-big company I worked for had an excellent system of setting up your new software that involved calling you to please confirm you 2FA.
When I said “I’m pretty sure I followed at least four trainings telling me not to do that” they were not amused. I, on the other hand, was extremely amused by telling them no.
Brilliant!
Two companies ago I was told I had failed to pass an email phishing test and so would be required to take another training in it. I pointed out that I could not, in fact, have failed such a test as I don’t respond to anything (real or faked) from management. I still had to take the training. So for the rest of my time at the company I turned in every email I received from management as a phishing attempt. I was told to stop it, but replied that I was simply being careful in following training. I’m sure they blocked me after that.
Needing to deactivate 2fa to link a new authenticator is one of my big complaints about so many systems. You should be able to pair a new one without removing the old one, or at least have it replace it.