Managing User MFA Enrollments
The 2FA Settings page exposes two admin-side surfaces for managing user enrollments: the Overview tab shows portal-wide adoption metrics, and the Reset Enrollment tab lets administrators reset a user's authenticator app enrollment when the user loses access. These are sibling tabs of the main Settings tab on the same page.
Opening the 2FA Admin Tabs
- From the Setup home page, open the Two-Factor Authentication settings page.
- The page shows three tabs: Settings, Overview, and Reset Enrollment.
The Settings tab is the configuration surface and is documented on Enabling and Configuring Two-Factor Authentication. This page covers the other two tabs.
Overview Tab
The Overview tab shows real-time adoption and health metrics in five widgets.
| Widget | What It Shows |
|---|
| Enrollment Rate | A progress bar showing how many active users have enrolled in the authenticator app out of the total active users. |
| Status Breakdown | Counts of users in each enrollment state: Enrolled, Pending, and Not Started. |
| Backup Codes Health | If every enrolled user has sufficient backup codes, the widget reports that all users are healthy. Otherwise it shows two lists when applicable: Users with no backup codes remaining (zero codes left) and Users running low on backup codes (2 or fewer remaining), each as a grid of Name, Email, and (for the low list) Remaining count. |
| Recent Enrollments | A grid of users who recently completed enrollment, with Name, Email, and Enrolled Date. |
| Roles Without 2FA | A grid of Security Roles whose users do not have two-factor authentication enabled, with Role Name and Type. Useful for compliance reporting: which Roles still haven't met your enrollment policy. |
The widgets are read-only; administrators take action either by editing user records, working with the relevant Role's configuration on the Settings tab, or resetting individual users from the Reset Enrollment tab.
Reset Enrollment Tab
The Reset Enrollment tab lets administrators remove a user's authenticator app enrollment and backup codes. Use this when a user loses access to their authenticator device or otherwise needs a clean re-enrollment.
The tab's section heading reads Reset User Enrollment, with the hint: Remove a user's authenticator app enrollment and backup codes. Use this when a user loses access to their authenticator app.
To reset a user's enrollment
- Open the 2FA Settings page and click the Reset Enrollment tab.
- In the User field, search and select the user whose enrollment you need to reset.
- Click Reset. (The button is disabled until you select a user.)
- A confirmation dialog appears titled Reset User Enrollment? with the message: This will remove the user's authenticator app enrollment and all backup codes. The user will need to enroll again. Click the continue option to confirm, or cancel to abort.
- On success, the page shows a confirmation toast that the user's two-factor enrollment has been reset.
After the reset, on the user's next sign-in the platform leads them through fresh authenticator app enrollment. The user receives a new set of backup codes as part of that re-enrollment — there is no separate "regenerate backup codes" admin action; new codes are issued automatically when the user re-enrolls.
Security note: Verify the user's identity through an out-of-band channel (phone, video call, internal ticket with manager approval) before resetting an enrollment. A successful reset effectively lets the next sign-in establish a new authenticator, so the request must come from someone you trust.
User-Side Backup Code Regeneration
End users regenerate their own backup codes from their personal two-factor management page in the portal — this is a self-service action, not an admin one. Encourage users to regenerate proactively when their backup codes are running low (which the Overview tab's Backup Codes Health widget surfaces). Resetting an enrollment from the admin side is only appropriate when the user has lost access entirely; for proactive code regeneration, direct the user to their own profile.
Operational Patterns
A user replaces their phone or otherwise loses their authenticator device
- Verify the user's identity out-of-band.
- On the 2FA Settings page, open the Reset Enrollment tab.
- Select the user and click Reset; confirm.
- The user signs in on the new device; the platform prompts them to scan a new authenticator QR code and provides new backup codes during re-enrollment.
A user has used all their backup codes and lost their authenticator
- The user appears in the Users with no backup codes remaining list on the Overview tab if they had any backup codes at all (and used them all). Verify identity out-of-band.
- Reset the user's enrollment from the Reset Enrollment tab.
- On next sign-in, fresh enrollment issues a new authenticator pairing and new backup codes.
A user keeps failing verification despite valid enrollment
- Confirm the user's device clock is correct — TOTP relies on accurate time. A clock skew beyond about 90 seconds (±3 thirty-second steps) will cause codes to be rejected.
- If the issue persists, reset the user's enrollment so they can re-pair their authenticator app.
A user is locked out from too many invalid attempts
- Confirm the user is being rejected because of the configured Maximum Invalid Attempts.
- The lockout is tied to the sign-in session — it clears automatically when the user starts a fresh sign-in (the attempt counter resets when a new security token is issued). No enrollment reset is required, and resetting enrollment does not clear this lockout.
- Reset the user's enrollment only if they have also lost their authenticator device.
- Consider raising Maximum Invalid Attempts on the Settings tab if many users are hitting the limit.
Troubleshooting Tips
- If the Reset button is disabled, you haven't selected a user yet — pick one in the User field first.
- If the Backup Codes Health widget shows many users at zero remaining, encourage users to sign in and regenerate from their personal two-factor management page proactively, rather than waiting for them to lock themselves out.
- For full symptom-by-symptom resolutions, see Two-Factor Authentication Troubleshooting.
<< Two-Factor Authentication Checklist | Two-Factor Authentication Troubleshooting >>