Require MFA prior to accessing SSPR URL

Highlighted
Occasional Contributor

Currently, the SSPR verification site is accessible once a user clicks "Can't access your account?". There is nothing restricting viewing/accessing this site.

Is it possible restrict access to this SSPR verification site only after a user is validated by MFA? Customer wants to add a level security so only users that are MFA verified access to the SSPR verification site to enter the validation information needed. They are not concerned with SSPR process, it works fine. They want to minimize spray attacks using verification information.

It is understood, that using verification using txt or call my phone and email address can be used. However, the question is accessing the verification site and not the methods of verification. 

If MFA cannot be used, what other combination of methods can be leveraged? 

 

Thanks,

Oscar

2 Replies
Highlighted

I'm afraid you can't do that. That's because when someone is accessing the SSPR site, the site doesn't know yet which user is accessing the site.

Highlighted

Surely to use MFA would need them to know their password in the first place ...