As customers manage their pentests on the Cobalt platform, we make sure that there are defenses keeping their information secure. One such example is using 2FA to log into the platform. Users have the option to set up 2FA for their accounts, and organization owners can enforce 2FA setup for everyone within their team.
But life happens, and sometimes users lose their registered devices. We’ve now made it simpler to request a 2FA reset. This blog post explains the process in more detail.
User loses their registered device
Prior to this update, users needed to reach out to Cobalt staff to help reset access to their account. This is no longer necessary. Instead, they can follow the new account recovery flow:
- Sign in using email & password
- Click “Start account recovery process”
The user will get an identity verification email with a one-time passcode. Note that the code expires in 5 minutes.
Once the user submits the code, their organization owner will receive an email alert.
Organization owner actions the alert
While we have this identity verification process in place, we recommend that organization owners internally confirm with their colleague that they requested a 2FA reset – this can act as an extra layer of defense that strengthens overall security.
To action the request, the organization owner can disable 2FA by:
- Logging into app.cobalt.io
- Visiting the People page
- Clicking the meatball menu
- Turning off 2FA for that specific user
User receives an update to their email
The user can now log in as though 2FA is not enabled. If their organization enforces 2FA, they will get a prompt to set it up with a new device before gaining further access to the Cobalt platform.
With this adjustment, we make it easier for customers to manage 2FA independently, with no intervention required from Cobalt staff. The platform captures and logs all of these actions in case they need to be reviewed at a later time.