2

In my custom policy I used the example here: https://github.com/azure-ad-b2c/samples/tree/master/policies/totp

I have TOTP working, but I want to make sure I will be able to reset it if a user doesn't have access to their authenticator app anymore.

NOTE: This is NOT using Azure B2C's built-in flows where you can enable TOTP in the settings.

Derek J.
  • 1,400
  • 1
  • 14
  • 23
  • How would you like them to recover their account? What would be your preferred fallback mechanism? Some providers ask the user to note a recovery code, and that can be used if Authenticator is lost. – Jas Suri - MSFT Feb 10 '22 at 00:46
  • Hi Jas, we were thinking of just resetting it so it would be as if they never set it up. So next time they login they would have to scan the QR Code again and set it up. This would require us to make sure they are who they say they are, but that's what we are shooting for. BTW, thanks for all the samples they have been incredibly helpful! – Derek J. Feb 10 '22 at 06:18

1 Answers1

3

This seems like an Admin controlled operation. In which case

  1. List the softwareOathMethods for the user, here.
  2. Delete the softwareOathMethod for the user, here.

The B2C policy will then ask the user to re-enrol an authenticator device on next sign-in.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20