The MFA features are great, but, for the account owner, some transparency into what form of MFA has been configured would be ideal.
For instance, if the person adds SMS or a Voice Call feature, I think some employers would like to know/verify that the phone number associated with the account is a work number. That is, that the phone number is not for a personal device.
Companies often enforce security policies on their own devices, so they may not want users adding personal devices. (Where security may not be as tight.)
Disabling certain forms of MFA would also be useful, for the same reason. If a user adds Okta authentication, that form of MFA is only as secure as the phone it was added to.
Further, if the account owner could configure MFA for the user, I think that would also be useful.
Complete picture… I add a work cell phone number for SMS and voice for a new user I onboard, and disable Okta and Google Authenticator. (Because they can be installed on any device, and I don't have any control over the security of that device.)
Thoughts?
... View more