Jul 10 2018
- last edited on
Jul 24 2020
Currently, the SSPR verification site is accessible once a user clicks "Can't access your account?". There is nothing restricting viewing/accessing this site.
Is it possible restrict access to this SSPR verification site only after a user is validated by MFA? Customer wants to add a level security so only users that are MFA verified access to the SSPR verification site to enter the validation information needed. They are not concerned with SSPR process, it works fine. They want to minimize spray attacks using verification information.
It is understood, that using verification using txt or call my phone and email address can be used. However, the question is accessing the verification site and not the methods of verification.
If MFA cannot be used, what other combination of methods can be leveraged?
Jul 11 2018 02:28 AM
I'm afraid you can't do that. That's because when someone is accessing the SSPR site, the site doesn't know yet which user is accessing the site.